Opened 7 years ago

Closed 4 years ago

#3253 closed enhancement (maybelater)

Sensitive Post type data Can be Exported via WXR

Reported by: tjnowell's profile TJNowell Owned by:
Milestone: Priority: low
Component: WordCamp Site & Plugins Keywords: needs-patch good-first-bug


At the moment the WP exporter lists all post types as options for export, including reimbursements and payments.

This means any WXR export of a WCamp site will contain personal information, complicating any efforts to work in a local meta environment, and enabling compromised accounts easy access to banking information and addresses.

I would suggest that these 2 post types be filtered out from any export and removed as options programmatically.

Similarly, the following post types are exportable, and may contain personally identifiable information:

  • emails
  • sponsor invoices
  • order
  • feedback
  • attendees

While this information is currently limited to Organisers and super admins, a rogue account could compromise this information easily in bulk via the exporter

Change History (3)

#1 @iandunn
7 years ago

  • Keywords needs-patch good-first-bug added
  • Priority changed from normal to low
  • Type changed from defect to enhancement

Hey Tom, in the future, I think potential privacy issues like this are best reported via HackerOne, so that we can resolve any problems before we make them public.

In the case of the budgeting tools, though, I don't think there's anything to really be worried about. All of that data is already encrypted at rest, and won't be decrypted during export.

For example, here's one that contains my personal checking account number:

		<title>Lectern lights</title>
		<guid isPermaLink="false">;p=1851</guid>
			<wp:meta_value><![CDATA[Ian Dunn]]></wp:meta_value>
			<wp:meta_value><![CDATA[Direct Deposit]]></wp:meta_value>


Since the encryption relies on a private key, it can only be decrypted by the production server. In the near future, it will also be redacted, per #3244.

For the other post types, I don't see any harm in changing email addresses to during export.

This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.

4 years ago

#3 @iandunn
4 years ago

  • Resolution set to maybelater
  • Status changed from new to closed

I split the addresses off into a separate issue.

For the banking info, I don't think we need to do anything else here, since it's encrypted at rest, and redacted once it's no longer needed.

Feel free to reopen if you disagree, though.

Note: See TracTickets for help on using tickets.