Comments on: WordPress 2.3 - Privacy Issue - My Thoughts

By: andar909

andar909 — Mon, 11 Aug 2008 05:37:09 +0000

hi, andar here, i just read your post. i like very much. agree to you, sir.

By: Vern

Vern — Wed, 07 Nov 2007 20:56:23 +0000

Thanks, Sadish, for this information. When I looked around today to see what the new features were in WP 2.3, I couldn’t quickly find any info. I hopped over to your site to see if an update to one of your cool themes (The Office) was available and came across this post — which gave me exactly the kind of info I would have expected to find in a WordPress update. I have long been a little aggravated with the “automatic” updates and posting in my WP Admin Panel as there was no easy way to get rid of them without them reappearing on every WordPress update. I, too, love WordPress but I hate to see any “bad behavior” creeping into it. Any “call home” function that is not absolutely necessary (and not well explained) begins the creeping phase. Hopefully the developers will continue to guard the code and our privacy as they have done so well in the past.

By: WordPress Themes by Sadish » How to upgrade your WordPress Theme for WP 2.3?

Tue, 06 Nov 2007 15:01:29 +0000

[...] anyone who is starting their blog right now, they can just install the WordPress 2.3 [and some plugins if they are privacy conscious] and start using one of my upgraded [...]

By: forum

forum — Sun, 28 Oct 2007 22:15:45 +0000

I agree with you.

now i am aware about it.

thanks

By: Dave J. (Scoop0901)

Dave J. (Scoop0901) — Wed, 24 Oct 2007 13:07:57 +0000

As Sadish has said, the vulnerability is there.

Put WP, as an organization, aside. Let’s look at the vulnerability as just that: a vulnerability.

Next week Bill Snoaks is going to write a plugin that does everything three current, very popular plugins do, but, instead of having to use all three, you use just one, plus — it has a few other goodies built in. On top of that, though, Bill also adds a snip of coding to call home — to his site (he isn’t uploading the plugin to the WP Plugin site, but rather self-hosting the plugin. He uses this vulnerability to have the “call home” feature relay all that information to him, which is now stored in a database. Big deal, right?

Bill takes that database, sells it or gives it to friends. They now know the URL of the site, the version software you’re running (easily discernable by visiting the site and/or doing VIEW SOURCE unless, of course, the site has snipped some footer content, as well as header content, to get rid of WP’s versioning info). Instead of having to hunt down each site, Bill’s plugin is now calling home with info on a few thousand sites, at least.

What could happen as a result? I dunno, why don’t you tell me?

By: Sadish

Sadish — Tue, 23 Oct 2007 15:07:06 +0000

1. For me, my website’s URL is a personally identifiable information. The moment someone knows my URL, they know who is running it.
2. They do send your blog’s url along with the plugins and their version numbers.

I am not trying to suggest wordpress.org will misuse the information sent to them.
I am just trying to make people aware of what is being sent back to the mothership, and what plugins they need to install if they do not want this information to be sent.
Thats all.

Thanks.

By: Shane

Shane — Mon, 22 Oct 2007 21:21:46 +0000

This doesn’t concern me too much, for a couple of reasons.

First, you’re misusing the term “personally identifiable information.” While some of the info they send back isn’t public knowledge, it’s doesn’t identify an individual. That’s what “personally identifiable” means.

Second, it doesn’t look like they’re sending all the data you list. The only new information being sent by the update checker is PHP version and a list of plugins.

It does appear that this opens up a slight new possibility of a security vulnerability, but it looks like the odds are very slight. It certainly isn’t like they’re suddenly sending personal information about you back to the mothership. This is some pretty benign stuff.

By: Stephan Miller

Stephan Miller — Thu, 11 Oct 2007 23:17:21 +0000

I never thought of it that way or even thought about how the plugins would be able to check for a version. I thought a simple check of plugin name and version would be all that is required. But the extra data?
You could say a company could be trusted with your data so far. But looking at the history of Wordpress.com spamming the search engines, I assume that a cheat could be capable of the same or more again.

By: OPENGIGA

OPENGIGA — Tue, 02 Oct 2007 19:02:16 +0000

I agree with you.

now i am aware about it.

thanks

By: Dave J. (Scoop0901)

Dave J. (Scoop0901) — Fri, 28 Sep 2007 23:26:44 +0000

I agree, Sadish. Matt was irresponsible in the way he handled that response. He seemed a little … too over-protective.

The comment about not being sure about what they will do with the info, but “will find some use for it in the future” is inherently wrong — especially for an open-source, supposedly open, supposedly “friendly” community that wants to grow.

More and more, it looks like Founder’s Syndrome has set in among the clique that’s formed in “the community”, and if you’re not in that clique, well, you’re a nobody and ought be discarded — oh, but use WordPress!