WordPress.org

Ready to get started?Download WordPress

Forums

akismet: sending session cookies (16 posts)

  1. eadz
    Member
    Posted 8 years ago #

    This is effectively a backdoor.

    It was bought up on the askimet mailing list that there was a problem but matt said the contents of $_SERVER were useful.

    more info

    As it is included by default I just thought people should know that it sends all the cookies for your whole domain (i.e. if you are logged into another application on your domain and make a comment on your blog it will send these too ).

    Matt I strongly suggest you don't send cookies to Akismet.com. As Dirk Haun wrote on the akismet mailing list there are privacy and security implications.

  2. scaturan
    Member
    Posted 8 years ago #

    hrm, this would be a great concern because i'm hosting a few hundred WordPress sites and will be migrating to 1.6 once it comes out. i hope this issue will get resolved if indeed, there are valid "privacy and security implications".

  3. eadz
    Member
    Posted 8 years ago #

    macmanx this was already reported publicly almost a month ago.
    http://comox.textdrive.com/pipermail/spam-stopper/2005-October/000223.html

  4. Yes, but as the Codex says, security concerns need to be submitted to security (at) wordpress (dot) org. It really doesn't matter where the concern was reported. If it is not submitted properly, it probably won't be noticed by the right person.

  5. eadz
    Member
    Posted 8 years ago #

    No, actually the codex says "Instructions on this page apply only to bugs in the WordPress core, and do not apply to bugs in plugins."

    It's not a security problem if you trust matt/akismet - they are the only ones with access to the session cookies.

    Also it's a 3rd party plugin issue, not a wordpress issue per se. It's just that this plugin is included by default and users of wordpress should be aware about this 3rd party service and it's security and privacy implications.

    I have submitted a bug to the plugin author, but I posted here as a warning about using the plugin, not as a bug or security report.

  6. Matt Mullenweg
    Troublemaker
    Posted 8 years ago #

    Thanks for your continued attention, although it does seem like you're trying to incite something.

    As was said before, anything Akismet doesn't use is ignored and not logged anywhere. You don't have to trust me or Akismet, there will be a legally binding privacy policy on the site soon that guarantees as much.

  7. eadz
    Member
    Posted 8 years ago #

    Matt, the issue is session cookies. Not just for wordpress but for your whole domain. They allow you ( akismet ) to log in to the wordpress install, and possibly other cmses running on your domain.

    I'm just not sure if it's on purpose or not?

  8. whooami
    Member
    Posted 8 years ago #

    For what its worth, there is a more "user controled" version of the Askimet plugin available here: http://incoherentbabble.com

    I omitted the permalink because the next post down details EXACTLY what is sent, and both posts are currently the most recent on the site.

  9. eadz
    Member
    Posted 8 years ago #

    Good work whooami :)

    I'm not a tinfoilhat wearer, just think session cookies shouldn't be treated lightly.

  10. whooami
    Member
    Posted 8 years ago #

    eadz, glad you appreciate it -- it is not my work though. :)

  11. chrismeller
    Member
    Posted 8 years ago #

    Howdy,

    The plugin mentioned above is mine. Hope it helps, I was just as disturbed that all that data was being sent to Akismet as everyone here apparently has been.

    I have to say, I'm somewhat disappointed in Matt's response here. I'd say we're certainly trying to incite something: an explination. From what I've read (here, as well as other places) that's been the key goal all along: to learn why this data was being sent in the first place.

    I'm sure people whould have had much less of a problem, had you come out and explained why the entirety of $_SERVER was being sent with each request (either that it was a mistake, or that it was needed for <reason>). As with most things, when a question / complaint goes un-answered or gets brushed off, people start to wonder if something's being hidden or if there's some ulterior motive.

    As for the legal statement... Privacy policies are great, but it's the human touch that we all crave. You're *the* Matt... If you'd just told us it was a mistake, or assured us that it wasn't being used nefariously, most of us would have nodded and trusted you because we have no reason not to.

    Maybe we can all learn something from this, eh? :)

  12. eadz
    Member
    Posted 8 years ago #

    nm

  13. Matt Mullenweg
    Troublemaker
    Posted 8 years ago #

    Why not make a list of all the SERVER values that you think are highly sensitive and the next version of Akismet will exclude them.

  14. Matt Mullenweg
    Troublemaker
    Posted 8 years ago #

    The obvious one is HTTP_COOKIE, it's excluded now.

    http://dev.wp-plugins.org/changeset/4017

  15. eadz
    Member
    Posted 8 years ago #

    HTTP_COOKIE was the only one I was really worried about.

    I guess you can close the ticket now http://dev.wp-plugins.org/ticket/314

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags