Closed Bug 1582846 Opened 6 years ago Closed 6 years ago

Wordpress Users Disclosure (/wp-json/wp/v2/users/)

Categories

(Websites :: Other, task)

Product:
Websites
Component:
Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1365661

People

(Reporter: dzhenway, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Impact Authors : LTR , LTREditor can be created scenario of doing bruteforce attacks to this users.
189.26 KB, image/jpeg
Details

Hi Security Team,

Information :

Using REST API, we can see all the WordPress users/author with some of their information.

Step To Reproduce :

You can get user info by entering below url in your browser:

https://blog.mozilla.org/wp-json/wp/v2/users

Result :

0
id 1613
name "Alan Davidson"
url ""
description ""
link "https://blog.mozilla.org/blog/author/adavidsonmozilla-com/"
slug "adavidsonmozilla-com"
avatar_urls
24 "https://secure.gravatar.com/avatar/088acf20f454ceb0adab005c81d17035?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/088acf20f454ceb0adab005c81d17035?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/088acf20f454ceb0adab005c81d17035?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/1613"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
1
id 720
name "Ali Spivak"
url ""
description "<a href="https://twitter.com/alispivak\">@alispivak</a>. Ali is the head of Developer Ecosystem at Mozilla, and has been developing and managing web sites for longer than she cares to admit. She's passionate about keeping the web open and working on things developers love (like MDN)."
link "https://blog.mozilla.org/blog/author/aspivakmozilla-com/"
slug "aspivakmozilla-com"
avatar_urls
24 "https://secure.gravatar.com/avatar/401943669c4af295f5b2c99f90dd221a?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/401943669c4af295f5b2c99f90dd221a?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/401943669c4af295f5b2c99f90dd221a?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/720"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
2
id 1604
name "Amy Keating"
url ""
description ""
link "https://blog.mozilla.org/blog/author/akeatingmozilla-com/"
slug "akeatingmozilla-com"
avatar_urls
24 "https://secure.gravatar.com/avatar/3a80ef27dc5a12d5016baac34fd8cdca?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/3a80ef27dc5a12d5016baac34fd8cdca?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/3a80ef27dc5a12d5016baac34fd8cdca?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/1604"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
3
id 1312
name "An-Me Chung"
url ""
description ""
link "https://blog.mozilla.org/blog/author/anmemozillafoundation-org/"
slug "anmemozillafoundation-org"
avatar_urls
24 "https://secure.gravatar.com/avatar/5dced0528fa9bb173d1e20b06c218972?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/5dced0528fa9bb173d1e20b06c218972?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/5dced0528fa9bb173d1e20b06c218972?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/1312"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
4
id 1207
name "Andre Vrignaud"
url ""
description "Andre Vrignaud is the Head of Platform Strategy for Mozilla’s Mixed Reality Program, where he guides the strategy for Mozilla's efforts to enable an open, sustainable 3D web and ecosystem. With a side of net neutrality and privacy advocacy."
link "https://blog.mozilla.org/blog/author/avrignaudmozilla-com/"
slug "avrignaudmozilla-com"
avatar_urls
24 "https://secure.gravatar.com/avatar/f30a6d723b8845f6035aee4f822f753c?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/f30a6d723b8845f6035aee4f822f753c?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/f30a6d723b8845f6035aee4f822f753c?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/1207"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
5
id 1275
name "Ari Jaaksi"
url ""
description "Mozilla Senior Vice President, Connected Devices"
link "https://blog.mozilla.org/blog/author/ajaaksimozilla-com/"
slug "ajaaksimozilla-com"
avatar_urls
24 "https://secure.gravatar.com/avatar/6280e8e3e540e142fbbb342e4ecdbd92?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/6280e8e3e540e142fbbb342e4ecdbd92?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/6280e8e3e540e142fbbb342e4ecdbd92?s=96&d=mm&r=g"
meta []
simple_local_avatar
24 "https://blog.mozilla.org/wp-content/uploads/2015/12/ajaaksi@mozilla.com_avatar_1449692600-24x24.jpg"
32 "https://blog.mozilla.org/wp-content/uploads/2015/12/ajaaksi@mozilla.com_avatar_1449692600-32x32.jpg"
68 "https://blog.mozilla.org/wp-content/uploads/2015/12/ajaaksi@mozilla.com_avatar_1449692600-68x68.jpg"
96 "https://blog.mozilla.org/wp-content/uploads/2015/12/ajaaksi@mozilla.com_avatar_1449692600-96x96.jpg"
full "https://blog.mozilla.org/wp-content/uploads/2015/12/ajaaksi@mozilla.com_avatar_1449692600.jpg"
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/1275"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
6
id 35
name "Asa Dotzler"
url "http://weblogs.mozillazine.org/asa"
description "Asa Dotzler is the Product Manager for Firefox at Mozilla"
link "https://blog.mozilla.org/blog/author/asamozillacom/"
slug "asamozillacom"
avatar_urls
24 "https://secure.gravatar.com/avatar/7269bb03b7ff4b0e9cdc42381e65ce0e?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/7269bb03b7ff4b0e9cdc42381e65ce0e?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/7269bb03b7ff4b0e9cdc42381e65ce0e?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/35"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
7
id 1532
name "Ashley Boyd"
url ""
description ""
link "https://blog.mozilla.org/blog/author/ashleybmozillafoundation-org/"
slug "ashleybmozillafoundation-org"
avatar_urls
24 "https://secure.gravatar.com/avatar/0cb6bbf3d35131fee83cc89e77631f4f?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/0cb6bbf3d35131fee83cc89e77631f4f?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/0cb6bbf3d35131fee83cc89e77631f4f?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/1532"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
8
id 1300
name "Barbara Bermes"
url ""
description ""
link "https://blog.mozilla.org/blog/author/bbermesmozilla-com/"
slug "bbermesmozilla-com"
avatar_urls
24 "https://secure.gravatar.com/avatar/c468e099765e97cd762a362a61ca3034?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/c468e099765e97cd762a362a61ca3034?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/c468e099765e97cd762a362a61ca3034?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/1300"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"
9
id 501
name "Brett Gaylor"
url ""
description "Director of Mozilla's Open Web Fellows. Brett also makes documentaries about the Internet: Do Not Track and Rip! A Remix Manifesto"
link "https://blog.mozilla.org/blog/author/popcorn/"
slug "popcorn"
avatar_urls
24 "https://secure.gravatar.com/avatar/d3a122c854162c7e6222e79069a9854e?s=24&d=mm&r=g"
48 "https://secure.gravatar.com/avatar/d3a122c854162c7e6222e79069a9854e?s=48&d=mm&r=g"
96 "https://secure.gravatar.com/avatar/d3a122c854162c7e6222e79069a9854e?s=96&d=mm&r=g"
meta []
simple_local_avatar null
_links
self
0
href "https://blog.mozilla.org/wp-json/wp/v2/users/501"
collection
0
href "https://blog.mozilla.org/wp-json/wp/v2/users"

Fix :

Use this code will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.

add_filter( 'rest_endpoints', function( $endpoints ){
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
}
return $endpoints;
});

Flags: sec-bounty?
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: sec-bounty?
Flags: sec-bounty-hof-
Flags: sec-bounty-
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: