REST API User Enumeration
-
[ Moved to Everything WordPress ]
Hi Everyone,
I’m running a bunch of WordPress sites and only recently noticed that the REST API was exposing all usernames on all sites by default. This is very disturbing. On any given site with 4.7+ I can do:
<site>/wp-json/wp/v2/users
And the usernames are all visible and ready to get brute forced. Even if the brute force attach is mitigated by other tools, the email addresses and usernames can be useful on other attack vectors.
I’ve been digging around the web and I can’t find any justification for this being on by default. I’ve installed the Disable REST API plugin (https://ww.wp.xz.cn/plugins/disable-json-api/) to turn off this functionality on my sites, but I wish I didn’t need to do that.
Why has WordPress taken such an insecure stance out of the box?
-
Because user names are not a security issue, same as email addresses. You can, however, prevent that with a plugin such as Wordfence.
https://ww.wp.xz.cn/plugins/wordfence/
There are others but I know that that one works. No, I do not use any security plugins and I don’t believe they’re necessary myself. I have lots of reasons for that but your mileage may vary. π
Otto had a really good reply about that and I’m going to link and quote it here.
https://ww.wp.xz.cn/support/topic/major-security-bug-still-in-latest-version/?view=all#post-8675356
Edit: Aaaand the forums quote CSS mungs the formating. Here’s text.
++++++++++++++++++++++++
To answer your point, WordPress doesn’t consider usernames or user ids to be private or secure information. Here are a few points for your consideration:1. On most sites, usernames are pretty readily available/visible, and users don’t treat it as private.
2. There are many places where the “username” could be disclosed. Author archives URLs contain it, it’s in the RSS feeds, it’s used in the body_class for author archives, and so forth. All of these actually use the “user_nicename”, but for most cases, this is the same as the username.
3. Most importantly, the username is not actually considered secret information. Disclosure of it is not a security risk.
With regards to the last one, consider what would be the case if the username was actually considered “private” and so strong attempts were made to hide it. In that case, we’d essentially be treating it as if it were a second password. Now, if we assume that the user already has a strong password, then the username-as-a-password is simply an additional bit of information to “add-on” to that existing strong password. So the total password strength is now their existing strong password plus the hidden username.
The problem with this sort of thinking is that, generally speaking, people are trained to pick strong passwords (hopefully), but not to pick strong usernames. So this means that they are going to be picking an easy to use/remember username, which also happens to make it particularly weak as a password. It is better to teach people to pick stronger passwords instead, making the username irrelevant.
The concept of having a second “password” is silly on the face of it, really. Consider the case where instead of a username and a password, we simply had two password fields. You have to know your first password, and your second password. Now, that seems dumb right away, doesn’t it? Because a password has no length limit, you could simply add the two passwords together and put them in one field. So, why have two of them? Similarly, why make your username complicated like a password would be? Just make your password longer and stronger.
Also, let’s consider that the “username” is kind of dead as an identifier at this point anyway. Look at Facebook and Google, for example. They don’t even have usernames, they simply use your email address as the account identifier. WordPress now supports logging in with either a username or email as well. Finding out somebody’s email address tends to be pretty easy (you share yours with everybody you send email to), so are these services insecure because there is no username used on them to begin with?
Keeping the username semi-public at least teaches people that it’s not meant to be hidden, and that they should rely on strong passwords for security. Ideally, we’d slowly phase out username altogether and just use email addresses. At least people usually remember those. Username is really a relic and a way to have friendly identifiers for other purposes (like those Author URLs).
Certainly, you can easily discover that my username on my blog is “otto”, but that doesn’t get you any closer to brute-forcing my 20+ character password, so it’s irrelevant.
Note that WordPress is not the only open source project to believe this. Drupal has similar arguments for the same thing: https://drupal.org/node/1004778
++++++++++++++++++++++++
It’s a good reply and I hope that explains it to you.
The topic ‘REST API User Enumeration’ is closed to new replies.