Need help? Check out our Support site, then


WordPress.com Forums » Support

Response to a post contains my password

  1. charliealfred
    Member

    I posted a response to the following WordPress blog post (reply #4)

    http://genehughson.wordpress.com/2012/09/11/reduce-reuse-recycle/

    Upon posting, it prompted for authentication (as epected), and I entered the URL for my WordPress blog and my password. Much to my shock and disappointment, the response was posted with a link to my blog, using my password in the text.

    I've posted responses to many sites, and have never seen such blatent disregard for password security before. What is going on here? This should never have happened!
    Blog url: http://charliealfred.wordpress.com/

  2. thegiddygoat
    Member

    I don't see any sign of your password being shown on that post URL you have given. It looks a decent enough blog to me. Your name links to your blog, but that is not something devious by the blogger who's blog you left a comment on. You seem to be wrongly accusing someone of something they haven't done.

  3. genehughson
    Member

    Charlie contacted me right after it happened and I edited the comment to remove it. I don't think he's inferring that I did something nefarious, more that there was some issue with the WordPress code.

  4. thegiddygoat
    Member

    Oh i see. So the password DID show?

  5. thegiddygoat
    Member

    I'll tag this for staff as that's definitely something that should never happen. Sorry i misunderstood as i saw no password.

  6. genehughson
    Member

    It did...the name field contained his password and username (Charlie, correct me if I got the order wrong) concatenated. The body of the comment and the other fields were as expected.

  7. thegiddygoat
    Member

    OK thanks for that info. I've tagged this for staff to help now.

  8. charliealfred
    Member

    Gene is correct. The original text displayed for my blog URL took the form

    <password><WP user name>

    When I noticed it, I didn't have any way to delete the post or modify the URL. As a result, I changed my WP password, let Gene know, and posted the original topic entry.

    Gene (blog owner) was able to edit my password out of the blog URL.

    This is why it doesn't show up anymore.

    Thanks,
    Charlie

  9. jenia
    Staff

    Hi Charlie, I am sorry your password got exposed and I am glad that you and Gene were able to quickly make the necessary changes to protect your privacy.

    I looked at our recent support requests, and I did not find any similar cases reported recently. I did notice while trying to reproduce your issue on my test blog that the fields under the commenting form ask for the following three items: 1) email, 2) name, 3) website. When you visit http://genehughson.wordpress.com/2012/09/11/reduce-reuse-recycle/ again (while logged), do you see those three fields – do you think it's possible that you accidentally entered your password into the "website" field?

  10. justjennifer
    Member

    @jenia according to what the OP says above, he entered his password as a part of authentication.

  11. jenia
    Staff

    @justjennifer: right, I read that. Double-checking since the reply form can sometimes be confused with an authentification form (which may or may not be the case for Charlie. At the same time, I am unable to reproduce and don't see similar reports from other users, so there is a chance that this is a user error).

    @charliealfred: Charlie, just to make sure, which browser/operating system you are using? Have you posted comment replies since then, and if you did, did you have to log in and did the same issue occur again?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags