// Post Status Notes

Active Install Data Story Update: Not a breach but abuse of an endpoint

John James Jacoby has been the main source of (unofficial) information about the removal of active install statistical tracking for plugins in the WordPress.org repository. On Friday, he provided more technical details on the WPwatercooler podcast.

Estimated reading time: 31 minutes

At the WPwatercooler, JJJ cleared up some of the mystery…

A quick summary of what we learned, starting at the 25:41 mark on the video:

  • There are two very simple endpoints that have provided the obfuscated active install data at wordpress.org since 2017.
  • They’re just PHP files, not endpoints that map to anything else. They access the database to give a JSON result to properly formed queries.
  • Inevitably, people poke at them, test the parameters they accept, etc. Errors coming from bad data fed to an endpoint filled up the error logs about a year ago. There was no data leak. It was fixed. But as a result of that fix, testing the endpoint now returns different headers based on what it’s hit with.
  • It’s possible to derive true/false information from the headers that are returned. In essence, you can derive a correct answer to whether a plugin’s install count is zero/not zero or whether a certain slug exists. It’s not serious, but it’s leaking information that’s not intended to be available this way.