Active Install Data Story Update: Not a breach but abuse of an endpoint

Categorized under:

, , , ,
Photo of author
Written By Dan Knauss

At the WPwatercooler, JJJ cleared up some of the mystery…

A quick summary of what we learned, starting at the 25:41 mark on the video:

  • There are two very simple endpoints that have provided the obfuscated active install data at wordpress.org since 2017.
  • They’re just PHP files, not endpoints that map to anything else. They access the database to give a JSON result to properly formed queries.
  • Inevitably, people poke at them, test the parameters they accept, etc. Errors coming from bad data fed to an endpoint filled up the error logs about a year ago. There was no data leak. It was fixed. But as a result of that fix, testing the endpoint now returns different headers based on what it’s hit with.
  • It’s possible to derive true/false information from the headers that are returned. In essence, you can derive a correct answer to whether a plugin’s install count is zero/not zero or whether a certain slug exists. It’s not serious, but it’s leaking information that’s not intended to be available this way.

2 thoughts on “Active Install Data Story Update: Not a breach but abuse of an endpoint”

Comments are closed.

A2 Hosting
WordPress.com
Post Status

The Community for WordPress Professionals

Post Status

About

Jobs

Contact Us

Opportunities

Enterprise Sponsorships

Submit a Project

Partner Directory

Digital Agencies

Products

plugins

Hosts

Resources

Podcasts

Higher Ed Agencies

Newsletter Archive

Black Friday Deals

JOIN POST STATUS

[email protected]

Join Today

© 2024 Post Status. All rights reserved

Privacy Policy | Terms of Use