Comments impersonation (this can not be a feature!)

  • Resolved jmaraujo

    (@jmaraujo)


    6 years, 2 months ago

    Jetpack has a feature(?) where you can use someone else image and their real email without any authentication.

    I wasn’t aware of this, until someone replied on my own site impersonating as myself (I’m the admin). I googled about this and found this:

    https://www.youtube.com/watch?v=v1jhBbS5AJQ

    WordPress.com and the WordPress plugin has a feature, at least that’s what Automattic calls it. You can read our article with quotes from Matt Mullenweg and explaining how this issue can be abused at Anyone can impersonate another user while using their image on any site without authentication. Even if you login to wordpress.com, you can still impersonate the user by using their picture. We don’t like this impersonation feature and see it as a bug that requires authentication to fix, but Automattic and Matt Mullenweg don’t seem to see it that way. You can read our full conversation with Matt Mullenweg. We see this as a lack of authentication and a security bug, but we have to go with the companies ruling that this is indeed a feature. We hope this tutorial will help you out.

    Just by knowing some other user’s (or even the admin’s) email, you fill the comment form with that email address, and you can comment as if you’re this user.

    This is not an acceptable behavior, and IMHO can not be considered a feature. Please fix this!

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi @jmaraujo,

    We definitely aren’t promoting impersonation as a Jetpack feature. This behaviour isn’t specific to Jetpack or WordPress — it’s the same for any web or comment form that doesn’t require a visitor to login before submitting information.

    If this is a concern for comments submitted on your own site, there are a couple of options you could look at:

    • Check the option requiring visitors to be logged in order to leave a comment
    • Use a plugin that allows comments from logged in social media accounts

    You can also make a feature request on WordPress Core if there is a change you would like to see:

    https://core.trac.www.ads-software.com/

    I hope this helps.

    Thread Starter jmaraujo

    (@jmaraujo)

    Hey, @gemmaevans,

    Thanks for the reply. I didn’t mean to imply the “impersonation” is a Jetpack feature; I was just paraphrasing the original post I linked.

    For now I found an acceptable solution. My solution was to put a verified icon next to author/admin user name in the comments section.

    I’ll post it here just in case it might help someone else:

    li.comment-author-administrador div.comment-author b.fn:after, li.bypostauthor div.comment-author b.fn:after {
    content: "\f14a";
    font-family: FontAwesome;
    font-style: normal;
    font-weight: normal;
    /* insert any other css you may need here (color, text size, etc.) */
}

    (You might need to adapt this css code to your own theme)

    Hi @jmaraujo,

    No problem and thanks for sharing your workaround ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Comments impersonation (this can not be a feature!)’ is closed to new replies.