Active Install Data Story Update: Not a breach but abuse of an endpoint

At the WPwatercooler, JJJ clears up some of the mystery…

There are two very simple and still live endpoints that have provided the obfuscated active install data at wordpress.org since 2017.

They’re just PHP files, not endpoints that map to anything else. They access the database to give a JSON result to properly formed queries.

People poke at them, test the parameters they accept, etc. Errors coming from bad data fed to an endpoint filled up the error logs a year ago. There was no data leak. It was fixed. But as a result of that fix, testing the endpoint now returns different headers based on what it’s hit with.

It’s possible to derive true/false type information from that. Is a plugin’s install count zero/not zero, does a certain slug exist… It’s not serious but leaking information that’s not intended to be available there.

This article was published at Post Status — the community for WordPress professionals.

Leave a Reply

Your email address will not be published. Required fields are marked *

Leave a comment

Your email address will not be published. Required fields are marked *