13 Comments

  1. Howdy_McGee

    Ya know, I’d feel better about usernames being in the public API if a 2FA of some sort was implemented into core. Until that happens, most my client base doesn’t care about author names so I’ll continue to block or redirect anything referring to them.

    Report

    • mark k.

      exposing user login name is a security threat especially for a site like that, as it makes it easier to DDOS a site as login attempts, even if using wrong password take a relatively huge amount of CPU resources by (the correct) design.

      it is amazing to me that core is willing to break backward compatibility for UI candy like the text widget or gutenberg but can not break it to fix this kind of security issue.

      Report

  2. Hashim Warren

    It’s telling that the wider world equities stock WordPress with lack of security

    Report

    • Jimmy Smutek

      It’s been that way as long as I can remember. It’s really more a user problem than it is the software being insecure.

      The WordPress team rolls out patches quickly, but how many sites have you come across with core out of date, 50 plugins installed, 45 of them active, 44 needing an update or no longer supported. That scenario is far more common than a well maintained site, unfortunately.

      Add to that the people who insist on using MyWeakPassword1234 everywhere on the internet, multiply everything by WordPresses market share and sprinkle on dash of good old fashion ignorance and it’s easy to see why WordPress is considered insecure.

      It’s funny really because keeping plugins up to date and using a unique, random password is about 90% of the battle. It’s not WordPress that’s insecure, it’s the way people use it.

      Report

  3. Marcus Tibesar

    You know, I never gave Equifax, TransUnion or that other credit service permission to store my personal data. They just do it on their own without our permission.

    Then they want us to keep our information current or correct all the time. Well why do I have to do that when I never gave them permission to store my personal information in the first place. And they want to charge us money to “monitor” our own credit data. How upside down is this!

    Additionally we are expected to keep all 3 databases all up to date so that they can turn around and sell it to the financial institutions.

    These guys are scumbags – it’s as simple as that.

    Report

    • Jeffrey

      I know right?

      I don’t believe Equifax is really trying to make up their mistakes: first of all, the monitoring system they offered is part of their company. If I can’t trust Equifax, how can I trust another service offered by the same company? Secondly, the free service offered is only free for a year, but my personal information has been compromised forever, what am I supposed to do after the first year? I have to pay $19.99/month to continue using the monitoring service. That’s total ripoff. Thirdly, the potential checker website is very shady because you can put in fake information and it will randomly tell you your information might have been compromised and you need to enroll in their monitoring service.

      Report

    • Brian

      Marcus,
      When you open an account or take out a loan/credit card with a financial institution, you give them permission to share that info with credit monitoring agencies, such as Equifax.

      Report

  4. Josh

    Why was WP even used? Seems completely unnecessary to use a full CMS platform for a simple site like that…just introducing a ton of bloat and potential security issues for no reason.

    Report

  5. Michael Hannigan

    This odd domain name was a REALLY stupid thing. Ironic, even – that with the response to a security incident like this, they would address it specifically with all the workings of a phishing scam. I’m [pretty] sure they didn’t mean to do that, but it was so badly done, a colleague and I looked at it, thinking it was some kind of joke or phishing awareness trick. I mean, you click on a link from a news article for an Equifax security breach and you get brought to a page that ANYONE of us could have registered and it asks you for your name and almost ALL of your social security number? I couldn’t believe it. I still can’t.

    Mike

    Report

  6. Michael Hannigan

    I’m not sure how the user names were exposed. You should get an error if you try to access them as an outside user:

    {“code”:”rest_user_cannot_view”,”message”:”Sorry, you are not allowed to list users.”,”data”:{“status”:401}}

    Mike

    Report

  7. Jay

    Signing up for their free protection services also has a clause to remove you from arbitration, and also is a free service for 1 year after which you will be automatically enrolled and charged for the service.

    Report

Comments are closed.

%d bloggers like this: