But is it safe? (hint: nope)

  • Resolved xiffy

    (@xiffy)


    8 years, 10 months ago

    The short answer is NO this plugin is not safe, it leaks user-credentials on so many levels. Let me explain.
    First of all, the current implementation works via GET, which is okay by me, except the username/password combo will be visible in your logfiles. Everybody who can access your webservers logfiles will be able to read passwords, wheter they want this or not.
    Resolution? use POST instead of GET

    Second. Please, please, please enforce https when using this plugin. Or make users aware that even when using POST the password will still be visible in plaintext on the internet.
    It’s 2016, playtime is over; secure this beauty please.

    (if interessted, i’ve patched all issues mentioned above, contact me if you want this revisions)

    https://www.ads-software.com/plugins/json-api-auth/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Ali Qureshi

    (@parorrey)

    Hi Xiffy,

    This plugin already supports both GET and POST methods.

    Using https is always better.

    And it is as safe as using website login when you fill the login form.

    Lastly, plz publish your solution on github or on anywhere for others.

    Thread Starter xiffy

    (@xiffy)

    I’ve made the source available at: https://github.com/xiffy/json-api-auth

    Can you explain how the current implementation supports POST? The Auth controller reads json_api->query, which holds all GET, but not POST variables. Or i’ve missed an update on the JSON-API itself (which is possible with all the versions in the wild ??

    Cheers

    Plugin Author Ali Qureshi

    (@parorrey)

    Hi Xiffy,

    Thanks for sharing on Github. I have merged the code and also updated the plugin here to version 1.8.

    Cheers!

    Can you share example codes about POST methods?

    Thread Starter xiffy

    (@xiffy)

    from within WordPress via javascript you could use:

    jQuery.post {
  'https://example.com/api/auth/generate_auth_cookie',
  {username: 'scott',
   password: 'tiger'
   // add unsecure: 'cool' when not using https
  },
  function (response) {
    console.log (response)
  }
}

    off course, untested.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘But is it safe? (hint: nope)’ is closed to new replies.