now i am aware about it.

thanks

Put WP, as an organization, aside. Let’s look at the vulnerability as just that: a vulnerability.

Next week Bill Snoaks is going to write a plugin that does everything three current, very popular plugins do, but, instead of having to use all three, you use just one, plus — it has a few other goodies built in. On top of that, though, Bill also adds a snip of coding to call home — to his site (he isn’t uploading the plugin to the WP Plugin site, but rather self-hosting the plugin. He uses this vulnerability to have the “call home” feature relay all that information to him, which is now stored in a database. Big deal, right?

Bill takes that database, sells it or gives it to friends. They now know the URL of the site, the version software you’re running (easily discernable by visiting the site and/or doing VIEW SOURCE unless, of course, the site has snipped some footer content, as well as header content, to get rid of WP’s versioning info). Instead of having to hunt down each site, Bill’s plugin is now calling home with info on a few thousand sites, at least.

What could happen as a result? I dunno, why don’t you tell me?

I am not trying to suggest wordpress.org will misuse the information sent to them.
I am just trying to make people aware of what is being sent back to the mothership, and what plugins they need to install if they do not want this information to be sent.
Thats all.

Thanks.

First, you’re misusing the term “personally identifiable information.” While some of the info they send back isn’t public knowledge, it’s doesn’t identify an individual. That’s what “personally identifiable” means.

Second, it doesn’t look like they’re sending all the data you list. The only new information being sent by the update checker is PHP version and a list of plugins.

It does appear that this opens up a slight new possibility of a security vulnerability, but it looks like the odds are very slight. It certainly isn’t like they’re suddenly sending personal information about you back to the mothership. This is some pretty benign stuff.

now i am aware about it.

thanks

The comment about not being sure about what they will do with the info, but “will find some use for it in the future” is inherently wrong — especially for an open-source, supposedly open, supposedly “friendly” community that wants to grow.

More and more, it looks like Founder’s Syndrome has set in among the clique that’s formed in “the community”, and if you’re not in that clique, well, you’re a nobody and ought be discarded — oh, but use WordPress!

but when people are asking questions, please see what kind of response they get.

If you don’t trust wordpress.org, I suggest you do one of the following:
1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.
- Matt

as you can see in this link. http://comox.textdrive.com/pipermail/wp-hackers/2007-September/014868.html

This is the answer that made me write this post.

It could very well be addressed something like this.
“We are already on a “code freeze” for the 2.3 release and so we would try to include an admin option in the next version of WordPress.”

This is the kind of step I want them to take.

I know there are so many optional functionality in WordPress, but when you are adding a new feature that could potentially collect personally identifiable information, they should make the user aware of what is going on.
That is the missing thing here.