Sensitive information in WP REST-API

There is REST-API integrated into WordPress from version 4.7. It is the way how we will use WP in future, but there are some downsides currently. The problem is, that WP use gravatars in default settings – you can find them in the comments and in user profiles. Both of them has their own endpoint in the REST API:

  • /wp-json/wp/v2/users
  • /wp-json/wp/v2/comments

Gravatars use MD5 hashes for user e-mails, so it is relatively easy to reverse many of them. Chris Herbert made a  very nice tool called WordPress Expose to demonstrate this problem.

In case of user profiles it also reveals the user login name so it can be used for weak user password hunt. I was the first who described this issue, but unfortunately WP core team didn’t agree with me. WordFence implemented a fix in 6.2.8.

Mitigation:

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s