Opened 7 years ago
Closed 4 years ago
#3253 closed enhancement (maybelater)
Sensitive Post type data Can be Exported via WXR
Reported by: | TJNowell | Owned by: | |
---|---|---|---|
Milestone: | Priority: | low | |
Component: | WordCamp Site & Plugins | Keywords: | needs-patch good-first-bug |
Cc: |
Description
At the moment the WP exporter lists all post types as options for export, including reimbursements and payments.
This means any WXR export of a WCamp site will contain personal information, complicating any efforts to work in a local meta environment, and enabling compromised accounts easy access to banking information and addresses.
I would suggest that these 2 post types be filtered out from any export and removed as options programmatically.
Similarly, the following post types are exportable, and may contain personally identifiable information:
- emails
- sponsor invoices
- order
- feedback
- attendees
While this information is currently limited to Organisers and super admins, a rogue account could compromise this information easily in bulk via the exporter
Change History (3)
#1
@
7 years ago
- Keywords needs-patch good-first-bug added
- Priority changed from normal to low
- Type changed from defect to enhancement
This ticket was mentioned in Slack in #meta-wordcamp by iandunn. View the logs.
4 years ago
#3
@
4 years ago
- Resolution set to maybelater
- Status changed from new to closed
I split the addresses off into a separate issue.
For the banking info, I don't think we need to do anything else here, since it's encrypted at rest, and redacted once it's no longer needed.
Feel free to reopen if you disagree, though.
Hey Tom, in the future, I think potential privacy issues like this are best reported via HackerOne, so that we can resolve any problems before we make them public.
In the case of the budgeting tools, though, I don't think there's anything to really be worried about. All of that data is already encrypted at rest, and won't be decrypted during export.
For example, here's one that contains my personal checking account number:
Since the encryption relies on a private key, it can only be decrypted by the WordCamp.org production server. In the near future, it will also be redacted, per #3244.
For the other post types, I don't see any harm in changing email addresses to
redacted@example.org
during export.