I got in at the tail end of a thread about the new update notification feature in WordPress 2.3.
One of the comments I read kept ricocheting around in my head. Matt Mullenweg said something about the dashboard RSS feeds transmitting my blog URL. I thought, initially, that he meant the IP address was revealed. But the more I thought about it, the weirder it seemed.
So I started looking through the source and discovered that every service that made an HTTP request had it’s own version of User-Agent with, at minimum, the version number and usually the blog URL!
I understand security well enough to know that this won’t suddenly give a hacker the an ability to hack my system. However, what it does to is give out more information I give anywhere else in my site.
In addition, if I was a hacker and wanted to crack a large number of blogs, then ping-o-matic or some other place that gets this information regularly would be my first target. I’d then have a reliable list of blogs, with version numbers, that I could launch attacks on. It’s even better than using searches!
And there is no reason to give this data away, at all.
I have submitted a bug asking for a single function to generate the user-agent strings. In addition to improving the code, this would allow for easy overriding in a plugin or something similar.
Meanwhile, I’ll probably hack these up in my copy of Wordpress.
UPDATE 2007-09-27: I submitted bugs and patches (#5065 and 5085). There is also a bug about adding an option to the privacy page (5066). Isn’t open source wonderful?
Wordpress User-Agent
Well, I just got a nasty shock!
I got in at the tail end of a thread about the new update notification feature in WordPress 2.3.
One of the comments I read kept ricocheting around in my head. Matt Mullenweg said something about the dashboard RSS feeds transmitting my blog URL. I thought, initially, that he meant the IP address was revealed. But the more I thought about it, the weirder it seemed.
So I started looking through the source and discovered that every service that made an HTTP request had it’s own version of User-Agent with, at minimum, the version number and usually the blog URL!
I understand security well enough to know that this won’t suddenly give a hacker the an ability to hack my system. However, what it does to is give out more information I give anywhere else in my site.
In addition, if I was a hacker and wanted to crack a large number of blogs, then ping-o-matic or some other place that gets this information regularly would be my first target. I’d then have a reliable list of blogs, with version numbers, that I could launch attacks on. It’s even better than using searches!
And there is no reason to give this data away, at all.
I have submitted a bug asking for a single function to generate the user-agent strings. In addition to improving the code, this would allow for easy overriding in a plugin or something similar.
Meanwhile, I’ll probably hack these up in my copy of Wordpress.
I have to admit, I’m disappointed.
Ciao!
UPDATE 2007-09-25: A couple of articles: wank.wordpress.com & Slashdot
UPDATE 2007-09-27: I submitted bugs and patches (#5065 and 5085). There is also a bug about adding an option to the privacy page (5066). Isn’t open source wonderful?