WordPress.org

Ready to get started?Download WordPress

Forums

Beware - Blogger Password Stored in Plaintext (6 posts)

  1. pubwvj
    Member
    Posted 8 years ago #

    I just transfered over a test blog from Blogger.com to WordPress 2.0.

    That went smoothly. I then ran a backup using the backup plugin.

    I downlaoded the backup to my computer and was pawing through it in a text editor and low and behold, there is my Blogger login info with my password in plain text!!!

    Not good. Bad, WP, Bad. Sit. Stay. Grrr...

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Where exactly did you see this ?

    And to reassure everyone:
    - your blog password is ONLY stored inside the database.
    - your database password is ONLY stored in your wp-config.php file which CANNOT be read in a browser

    http://www.tamba2.org.uk/T2/wp-config.php
    Mine has been there for 2 years. Go read it.

    If WP was that insecure, don't you think that this might have been mentioned before ?

  3. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Oh, and inside the database, the password is further MD5 encoded. That makes it pretty much impossible to decipher.

  4. pubwvj
    Member
    Posted 8 years ago #

    I found Blogger.com password in the database backup I had made using the Backup command in Manage in admin. As I stated I did the transfer from Blogger.com which is when it asks for my Blogger.com password and userID. I then ran the backup plugin, downloaded the backup file to my computer, looked inside and found my password. It is in plaintext. it is NOT MD5 or otherwise encoded. Do it yourself if you want the exact location. I'm not passing a copy of my database around. Who knows what else is in there.

    Oh, and don't just dismiss this as "If WP was that insecure, don't you think that this might have been mentioned before" when someone mentions a security concern. Not only is that rude but you apparently haven't even checked the issue yet. Fact is WP2 is new and apparently it is storing the Blogger.com login info. It should not be doing so. That is a potential security flaw.

  5. vkaryl
    Member
    Posted 8 years ago #

    And "potential security flaws" should not be reported on this forum.

    Please report this here: security-at-wordpress-dot-org (replacing the obvious, of course)

  6. pubwvj
    Member
    Posted 8 years ago #

    Thank you. I have now done so. It is not obvious where to report this. I appreciate the pointer.

Topic Closed

This topic has been closed to new replies.

About this Topic