WordPress.org

Ready to get started?Download WordPress

Forums

Security Risk on WordPress.com (Comments) (2 posts)

  1. HackAsh
    Member
    Posted 3 years ago #

    Dear WordPress.com,

    There is a huge security risk in how you handle comments. Consider this scenario (that happened to me!):

    Registered member of WordPress.com, 'John Smith', goes to one of millions of hosted blogs on your .com platform and writes a comment:

    "I am against racism!"

    Now, once he presses "submit" button, he cannot edit his comment anylonger. From now on, John's comment is in full control of the "webmaster" of a blog where he commented.

    Now, if webmaster "hates" or "dislikes" John, he/she can go and EDIT/MODIFY John's comment to look like this:

    "I support racism!"

    Isn't this a huge security issue for WordPress.com ?

    Ordinary reader will have no idea that renegade webmaster modified John's comment to make John look like a racist. And John cannot go back and delete his own comment! That is a huge security issue! I think registered WordPress.com members OUGHT TO BE able to modify or even delete their own comments on other blogs.

  2. mrmist
    Forum Janitor
    Posted 3 years ago #

    Hi

    Firstly, the WordPress.com forums are at http://en.forums.wordpress.com for future reference. As this sort of thing applies across WordPress, though, it may as well be addressed here.

    This is not really a "security" risk. There's no inherent flaw in the product that can be abused to produce this behaviour - it's as designed and is abused only by the choice of the site editors.

    When you comment anywhere on the Internet, that comment is then made available to the world, and can be edited by the owners / editors of the site that you have posted to. That's the choice that you make by submitting a comment.

    Yes, the possibility exists for webmasters to edit posted comments. I have to say, though, that I think that this facility is rarely abused. Certainly not on respectable, high traffic, websites where such abuse would actually matter. (I.E. if it's happening some place where noone sees it, then effectively no harm is done.)

    In most legal jurisdictions, should such an edit cast the poster unfavourably, they have legal options to sue for e.g libel.

    Consider, however, the converse view that you are presenting - if anyone can continue to edit their comments or delete them after posting, they could equally abuse that facility, e.g. to post an insulting comment, wait for that to stir up responses, then edit or delete the original text. I'm sure that you can see how that is unacceptable. (Of course, some [WordPress based] sites do offer comment editing through plugins.)

    I suggest that you avoid commenting on sites that you suspect will edit your comments in such a way, but otherwise not worry about the problem.

Topic Closed

This topic has been closed to new replies.

About this Topic