Title: get_userinfo not secure
Last modified: August 22, 2016

---

# get_userinfo not secure

 *  Resolved [joe.t.evil](https://wordpress.org/support/users/joetevil/)
 * (@joetevil)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/get_userinfo-not-secure/)
 * Hi.
 * If I make a call to [json_api_url]/user/get_userinfo/?user_id=(int)value,
    it
   outputs the user profile, of any user (just change the (int)value).
 * There is no autentication control to make this call. Tried on diferent devices,
   without login or autorization.
 * That’s a big issue, everyone can dump all userdata.
 * [https://wordpress.org/plugins/json-api-user/](https://wordpress.org/plugins/json-api-user/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Plugin Author [Ali Qureshi](https://wordpress.org/support/users/parorrey/)
 * (@parorrey)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/get_userinfo-not-secure/#post-5246914)
 * well, the api is not public.. usually it has to be a secure url for your app 
   use and can be made even password protected with htaccess..
 * secondly, the only possible sensitive info is email address and user_login.
 * But I will comment ’email’ and ‘user_login’ too in next plugin update. ALl other
   fields are public already on website.
 *  Plugin Author [Ali Qureshi](https://wordpress.org/support/users/parorrey/)
 * (@parorrey)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/get_userinfo-not-secure/#post-5247077)
 * email and user_login has been removed from get_userinfo response in the ver 1.3.
 * Also, user_meta has been secured with cookie.
 *  Thread Starter [joe.t.evil](https://wordpress.org/support/users/joetevil/)
 * (@joetevil)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/get_userinfo-not-secure/#post-5247105)
 * Good job!

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘get_userinfo not secure’ is closed to new replies.

 * ![](https://ps.w.org/json-api-user/assets/icon-256x256.png?rev=1965790)
 * [JSON API User](https://wordpress.org/plugins/json-api-user/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/json-api-user/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/json-api-user/)
 * [Active Topics](https://wordpress.org/support/plugin/json-api-user/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/json-api-user/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/json-api-user/reviews/)

## Tags

 * [security breach](https://wordpress.org/support/topic-tag/security-breach/)

 * 3 replies
 * 2 participants
 * Last reply from: [joe.t.evil](https://wordpress.org/support/users/joetevil/)
 * Last activity: [11 years, 9 months ago](https://wordpress.org/support/topic/get_userinfo-not-secure/#post-5247105)
 * Status: resolved