Support » Alpha/Beta/RC » akismet: sending session cookies

  • This is effectively a backdoor.

    It was bought up on the askimet mailing list that there was a problem but matt said the contents of $_SERVER were useful.

    more info

    As it is included by default I just thought people should know that it sends all the cookies for your whole domain (i.e. if you are logged into another application on your domain and make a comment on your blog it will send these too ).

    Matt I strongly suggest you don’t send cookies to As Dirk Haun wrote on the akismet mailing list there are privacy and security implications.

Viewing 15 replies - 1 through 15 (of 15 total)
  • hrm, this would be a great concern because i’m hosting a few hundred WordPress sites and will be migrating to 1.6 once it comes out. i hope this issue will get resolved if indeed, there are valid “privacy and security implications”.

    Moderator James Huff


    macmanx this was already reported publicly almost a month ago.

    Moderator James Huff


    Yes, but as the Codex says, security concerns need to be submitted to security (at) wordpress (dot) org. It really doesn’t matter where the concern was reported. If it is not submitted properly, it probably won’t be noticed by the right person.

    No, actually the codex says “Instructions on this page apply only to bugs in the WordPress core, and do not apply to bugs in plugins.”

    It’s not a security problem if you trust matt/akismet – they are the only ones with access to the session cookies.

    Also it’s a 3rd party plugin issue, not a wordpress issue per se. It’s just that this plugin is included by default and users of wordpress should be aware about this 3rd party service and it’s security and privacy implications.

    I have submitted a bug to the plugin author, but I posted here as a warning about using the plugin, not as a bug or security report.

    Thanks for your continued attention, although it does seem like you’re trying to incite something.

    As was said before, anything Akismet doesn’t use is ignored and not logged anywhere. You don’t have to trust me or Akismet, there will be a legally binding privacy policy on the site soon that guarantees as much.

    Matt, the issue is session cookies. Not just for wordpress but for your whole domain. They allow you ( akismet ) to log in to the wordpress install, and possibly other cmses running on your domain.

    I’m just not sure if it’s on purpose or not?

    For what its worth, there is a more “user controled” version of the Askimet plugin available here:

    I omitted the permalink because the next post down details EXACTLY what is sent, and both posts are currently the most recent on the site.

    Good work whooami 🙂

    I’m not a tinfoilhat wearer, just think session cookies shouldn’t be treated lightly.

    eadz, glad you appreciate it — it is not my work though. 🙂


    The plugin mentioned above is mine. Hope it helps, I was just as disturbed that all that data was being sent to Akismet as everyone here apparently has been.

    I have to say, I’m somewhat disappointed in Matt’s response here. I’d say we’re certainly trying to incite something: an explination. From what I’ve read (here, as well as other places) that’s been the key goal all along: to learn why this data was being sent in the first place.

    I’m sure people whould have had much less of a problem, had you come out and explained why the entirety of $_SERVER was being sent with each request (either that it was a mistake, or that it was needed for <reason>). As with most things, when a question / complaint goes un-answered or gets brushed off, people start to wonder if something’s being hidden or if there’s some ulterior motive.

    As for the legal statement… Privacy policies are great, but it’s the human touch that we all crave. You’re *the* Matt… If you’d just told us it was a mistake, or assured us that it wasn’t being used nefariously, most of us would have nodded and trusted you because we have no reason not to.

    Maybe we can all learn something from this, eh? 🙂


    Why not make a list of all the SERVER values that you think are highly sensitive and the next version of Akismet will exclude them.

    The obvious one is HTTP_COOKIE, it’s excluded now.

    HTTP_COOKIE was the only one I was really worried about.

    I guess you can close the ticket now

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘akismet: sending session cookies’ is closed to new replies.