WordPress.org

Making WordPress.org

Opened 8 months ago

Last modified 8 months ago

#3253 new enhancement

Sensitive Post type data Can be Exported via WXR

Reported by: TJNowell Owned by:
Milestone: Priority: low
Component: WordCamp Site & Plugins Keywords: needs-patch good-first-bug
Cc:

Description

At the moment the WP exporter lists all post types as options for export, including reimbursements and payments.

This means any WXR export of a WCamp site will contain personal information, complicating any efforts to work in a local meta environment, and enabling compromised accounts easy access to banking information and addresses.

I would suggest that these 2 post types be filtered out from any export and removed as options programmatically.

Similarly, the following post types are exportable, and may contain personally identifiable information:

  • emails
  • sponsor invoices
  • order
  • feedback
  • attendees

While this information is currently limited to Organisers and super admins, a rogue account could compromise this information easily in bulk via the exporter

Change History (1)

#1 @iandunn
8 months ago

  • Keywords needs-patch good-first-bug added
  • Priority changed from normal to low
  • Type changed from defect to enhancement

Hey Tom, in the future, I think potential privacy issues like this are best reported via HackerOne, so that we can resolve any problems before we make them public.

In the case of the budgeting tools, though, I don't think there's anything to really be worried about. All of that data is already encrypted at rest, and won't be decrypted during export.

For example, here's one that contains my personal checking account number:

	<item>
		<title>Lectern lights</title>
		<dc:creator><![CDATA[iandunn]]></dc:creator>
		<guid isPermaLink="false">https://2016.seattle.wordcamp.org/?post_type=wcb_reimbursement&#038;p=1851</guid>
		<wp:postmeta>
			<wp:meta_key><![CDATA[_wcbrr_name_of_payer]]></wp:meta_key>
			<wp:meta_value><![CDATA[Ian Dunn]]></wp:meta_value>
		</wp:postmeta>
		<wp:postmeta>
			<wp:meta_key><![CDATA[_wcbrr_payment_method]]></wp:meta_key>
			<wp:meta_value><![CDATA[Direct Deposit]]></wp:meta_value>
		</wp:postmeta>
		<wp:postmeta>
			<wp:meta_key><![CDATA[_wcbrr_ach_bank_name]]></wp:meta_key>
			<wp:meta_value><![CDATA[encrypted:dng72dBLMrts3LAG/SOXuF9YCsdidhY7xDASW/Sw:om/UTI49mUN8Z01VsXJZAA==:WX3eyZAZhEvZutjUYLW8iMOjbSis6bCta8lXpcto3r8=]]></wp:meta_value>
		</wp:postmeta>
		<wp:postmeta>
			<wp:meta_key><![CDATA[_wcbrr_ach_account_type]]></wp:meta_key>
			<wp:meta_value><![CDATA[Personal]]></wp:meta_value>
		</wp:postmeta>
		<wp:postmeta>
			<wp:meta_key><![CDATA[_wcbrr_ach_routing_number]]></wp:meta_key>
			<wp:meta_value><![CDATA[encrypted:GLhyXYdZjc34:B14QIClvxIa9r5HYuB+FUw==:PAGzDLWb6r1aKDew15uUkdn1Pxz4+Dd1WuW74BIawZQ=]]></wp:meta_value>
		</wp:postmeta>
		<wp:postmeta>
			<wp:meta_key><![CDATA[_wcbrr_ach_account_number]]></wp:meta_key>
			<wp:meta_value><![CDATA[encrypted:8SR4res4FsLohQ==:+SqJeKMu564u++yY2YoiNw==:Y9jNnemRqzdEHV6XN28TWAIUNUT8eA+hsGpuq0TxYdA=]]></wp:meta_value>
		</wp:postmeta>
		<wp:postmeta>
			<wp:meta_key><![CDATA[_wcbrr_ach_account_holder_name]]></wp:meta_key>
			<wp:meta_value><![CDATA[encrypted:7Oe16oFu0Ps=:4vyxJlz6tAA0RtSNsAH/1w==:oaFqiJ9fJZ+cCFZdMjdZPTjhpEa2nm22/wRzwwG8DbU=]]></wp:meta_value>
		</wp:postmeta>

	</item>

Since the encryption relies on a private key, it can only be decrypted by the WordCamp.org production server. In the near future, it will also be redacted, per #3244.

For the other post types, I don't see any harm in changing email addresses to redacted@example.org during export.

Note: See TracTickets for help on using tickets.