WordPress.org

Ready to get started?Download WordPress

Forums

Huge security issue: Comment fields reveal email address of different user (15 posts)

  1. Eric Murphy
    Member
    Posted 1 year ago #

    I have a huge security issue:

    Commentators see the emails of other commentators.

    From time to time (not always) when visitors (i.e. not logged in users) want to post a comment they see the emails of completely different commentators.

    They would go to "Leave a reply" and the name input field and the email input field would automatically contain not their own name and their own email addresses (that were used for the previous comment they made), but would show someone else's name and someone else's email. WordPress would simply reveal another commentator's name+email.

    The IPs are completely different, thus is it's not a simple IP mess up.

    This bug cannot be reproduced. It happens rarely, but it happens.

    I have a multi-site install, in case that matters. It happened both with the TwentyTen and TwentyEleven theme.

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    You'd need to reproduce this using Twenty Eleven and no plugins. Frankly it sounds more like a browser issue to me.

  3. Eric Murphy
    Member
    Posted 1 year ago #

    This in no way can be a browser issue. How in the world would the browser know the emails of other commentators.

    Unfortunately I cannot reproduce it even with plugins turned on. It's a very infrequent thing.

  4. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 1 year ago #

    That would depend on the people who have reported the issue. If this was reported by people who use the same computers & don't log onto them with their own separate user accounts then it could be a browser issue. For example if your site visitors attend the same school / workplace where the IT staff have a honeybadger-like attitude towards security.

  5. Eric Murphy
    Member
    Posted 1 year ago #

    > If this was reported by people who use the same computers

    I know what you mean but this isn't the case.

    The user who saw someone else's email address isn't in the same city and their IPs have nothing in common.

    Additionally I can confirm this bug, because it happened to me myself: I am a superadmin of the network, but was logged out when it happened. The comment input fields were filled with the name and email address of a completely different user.

    And I don't even live in the same country like that user.

  6. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 1 year ago #

    please post a link to the site

    When you are not logged on, how often can you see the issue?

    Are you using a cache plugin? any plugins that have anything to do with comments?

  7. prionkor
    Member
    Posted 1 year ago #

    this was reported by people who use the same computers

    I have seen this on couple of website. If the email address is showing on same PC i think the form trying to put the email address so people don't have to put the details again. Never concerned about it because its on a same PC.

    Can you give your website address?

  8. Pioneer Valley Web Design
    Member
    Posted 1 year ago #

    Never concerned about it because its on a same PC

    Scan your computer with well known AV each day - if you host sites with FTP or a browser, you can infect your sites.

  9. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 1 year ago #

    Prionkor we have ruled that out already - Eric has confirmed that people are not sharing the same PCs

  10. Pioneer Valley Web Design
    Member
    Posted 1 year ago #

    are not sharing the same PCs

    What does that mean?

  11. prionkor
    Member
    Posted 1 year ago #

    @Eric Murphy:

    Did you tried:

    1. Reinstalling Themes?
    2. Or Check the comment template file to check if their is any suspicious code

    Are you using any plugin that interact with comments?

  12. Pioneer Valley Web Design
    Member
    Posted 1 year ago #

    @prionkor - please describe how the above post is helpful

  13. WebTechGlobal
    Member
    Posted 1 year ago #

    Try searching for the form ID in your entire blog to see if JavaScript or PHP is using that ID.

    There has to be a browser plugin/setting or WordPress plugin to automatically fill out any form. There would need to be functions both PHP and JavaScript to pull this off. Indicating either a plugin or theme has a security issue.

  14. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 1 year ago #

    What does that mean?

    exactly what it sounds like - more than one user accessing the website from the same computer & not logging off when they finished. A scenario where this might have been the case would be a school website being accessed by pupils in the IT suite.

    As this has been ruled out by Eric, I would suggest looking closer at plugins next - ie investigate whether the issue appears with all plugins deactivated then only reappears after reactivating one specific plugin. This may be difficult though as the issue sounds like it is not predictable or reliably repeatable.

  15. Eric Murphy
    Member
    Posted 1 year ago #

    I downloaded all WordPress files and compared them byte-by-byte to the original WordPress files.

    100% match. Both templates and code.

    Therefore I suppose it has to be a plugin.

    > Are you using a cache plugin? any plugins that have anything to do with comments?

    Indeed, that is the best bet. I guess only a cache plugin (I use QuickCache) would be able to expose a previous commentator's email to a following commentator. Quickcache is the most likely source of this security bug.

    Will need to post in the QuickCache support forum.

Topic Closed

This topic has been closed to new replies.

About this Topic