Gravatar security issue
-
Hello,
I’m really not sure if it’s a pure gravatar issue only or somehow “WP single login” related as I’m only gravatar user.
The thing which bothers me (A LOT) is the fact that after using “logout” and then again “Sign in” I’m auto-magically signed in without any password prompt. Even after closing/opening the browser (not session related).
Steps to reproduce:
1. Point to http://gravatar.com/emails
2. Use “Sign in” top link
3. Enter login information (email & password)
4. After successful login use “Logout” from top (right) profile menuTested with Firefox Developer Edition 39.0a2 and Chromium 41.0.2272.76 under Ubuntu 14.10
There was no way to directly/securely report this (email, bugtracker, etc) so feel free to remove this and contact me directly if you need more information.
Thanks
Miro -
Hi Miro,
I believe this is happening because the login is authorizing through WordPress.com, which you’re currently signed into. Here’s what I’m experiencing:
1. Login to WordPress.com
2. Login to Gravatar using “WordPress.com Sign-in” in the top right-hand corner
3. Logout of Gravatar. Stay signed into WordPress.com.
4. Click the sign-in link again on Gravatar. Since I’m still signed into WordPress.com, it doesn’t prompt me for username and password.
Contrast that to:
1. Login to WordPress.com
2. Login to Gravatar using “WordPress.com Sign-in” in the top right-hand corner
3. Logout of Gravatar. Logout of WordPress.com.
4. Click the sign-in link again on Gravatar. Since I’m signed out of WordPress.com, I’m prompted with a username and password.
Can you let me know if you’re experiencing something similar?
-
Hi Jeremy,
It is not the case. I never login (directly) to wordpress.com. Gravatar is the only WP service I use.
While I read this, I wasn’t logged in. Login link was pointing to wordpress.com and prompt for user/password. I didn’t sign in, instead I opened gravatar.com. I was still logged in. So I logged out, signed in (again via gravatar and via link public-api.wordpress.com/oauth2/authorize?…). I came back here and reloaded the page – now I’m logged in. I went to wordpress.com and indeed – I was logged in.I’m stressing on the fact I never log in directly on wordpress.com. However, even if it is the case, it’s still bad. Logout means logout. Trash the session for every app using single sign in service.
Everything what differs from that behaviour is a gate for stealing identities. I hope people developing the WP services will look into that seriously enough.Thanks
Miro -
Hi Miro,
Thanks for the additional details. I believe I understand what you’re describing. I followed these steps:
1. Logout of both WordPress.com and Gravatar.com
2. Visit Gravatar.com. Use the sign-in link in the top right-hand corner to login via WordPress. This simultaneously logs you into WordPress.com as expected.
3. Visit WordPress.com. I’m now logged in.
4. Visit Gravatar.com in another tab. Logout of Gravatar.com. When I return to the WordPress.com tab, I’m still logged in (even after refresh).
Is this the issue you’re describing? The logout link at Gravatar.com only logs you out of that particular service, not WordPress.com. You would need to logout in both places.
-
Hi Jeremy,
Sorry for the late response.
It’s simpler than that.
1. Logout every WordPress related session, including Gravatar one.
2. You may even close/re-open your browser, clear your cookies, etc.
3. Login to Gravatar.com
4. Logout Gravatar.com
5. Login again on Gravatar.com – you are not prompted for your password
6. Logout, close your browser. Open your browser, go to Gravatar.com
7. You are either logged in, or you are not prompted for your password if you try to login. -
1. Logout every WordPress related session, including Gravatar one.
2. You may even close/re-open your browser, clear your cookies, etc.
3. Login to Gravatar.com
4. Logout Gravatar.com
5. Login again on Gravatar.com – you are not prompted for your password
6. Logout, close your browser. Open your browser, go to Gravatar.com
7. You are either logged in, or you are not prompted for your password if you try to login.Correct – this is happening because you’re still logged into WordPress.com in the scenario above. When you click Sign In on Gravatar.com, you’re also signing into WordPress.com. In the steps above, you’re only logging out of Gravatar.com, not out of WordPress.com as well. Since Gravatar authenticates through WordPress.com, if you’re logged into WordPress.com, you will not be prompted to enter credentials to login to Gravatar.com; we’ll just use the same credentials to log you into Gravatar.com.
-
And this is a the kind of ‘feature’ I call security issue. You presume (completely wrong) I use any other WP service. Not to mention logout means “end of the session”. No matter what authentication method/service is used. In 100% of all possible cases.
The whole gives me the big picture of how concerned about the security is the maybe biggest PHP community. And the reason I made the right decision to choose to work with another technologies, where “it works, so I don’t care” is defined as Bad Thing.
-
All WordPress.COM accounts are Gravatar accounts too.
-
I definitely understand your frustration here @myovchev. As @Timethief mentioned, Gravatar and WordPress.com are effectively one in the same. If you login to Gravatar.com, you’ll be simultaneously logged into WordPress.com. If you would like to logout of both WordPress.com and Gravatar, you would have to do that individually. Logging out from Gravatar.com will not simultaneously log you out of WordPress.com.
- The topic ‘Gravatar security issue’ is closed to new replies.
WordPress.com Forums 