// Post Status Notes

Active Install Data Story Update: Not a breach but abuse of an endpoint

At the WPwatercooler, JJJ cleared up some of the mystery…

A quick summary of what we learned, starting at the 25:41 mark on the video:

  • There are two very simple endpoints that have provided the obfuscated active install data at wordpress.org since 2017.
  • They’re just PHP files, not endpoints that map to anything else. They access the database to give a JSON result to properly formed queries.
  • Inevitably, people poke at them, test the parameters they accept, etc. Errors coming from bad data fed to an endpoint filled up the error logs about a year ago. There was no data leak. It was fixed. But as a result of that fix, testing the endpoint now returns different headers based on what it’s hit with.
  • It’s possible to derive true/false information from the headers that are returned. In essence, you can derive a correct answer to whether a plugin’s install count is zero/not zero or whether a certain slug exists. It’s not serious, but it’s leaking information that’s not intended to be available this way.