Comments on: e-mails https://habitablezone.com/2011/04/25/179/ Sun, 19 Apr 2026 04:50:17 -0700 hourly 1 http://wordpress.org/?v=3.3.1 By: Eri https://habitablezone.com/2011/04/25/179/#comment-122 Eri Wed, 27 Apr 2011 13:06:06 +0000 http://habitablezone.com/?p=179#comment-122 Yes, I can. You have no idea what I went through that time Bowser wanted to donate to the site and I volunteered to be his go-between. It was ridiculously funny. I had to wonder if Bows was actually some high mucky-muck but still... I mean I have an e-mail address at mail.com that absolutely no one could ever guess is mine by the address. Yes, I can. You have no idea what I went through that time Bowser wanted to donate to the site and I volunteered to be his go-between. It was ridiculously funny. I had to wonder if Bows was actually some high mucky-muck but still… I mean I have an e-mail address at mail.com that absolutely no one could ever guess is mine by the address.

]]> By: Robert https://habitablezone.com/2011/04/25/179/#comment-108 Robert Tue, 26 Apr 2011 23:12:17 +0000 http://habitablezone.com/?p=179#comment-108 How about now? Looks like you guys found a hole in WordPress. It's hard to imagine something so blatant slipping by, except that WP is really intended for single-blog use. OTOH it supports multiple authors and public commenting via captchas, so right away there's a potential for disclosing email addresses. I managed to close the hole by suppressing display of comments in the editor completely. That's an imperfect solution because it means that editors can't approve pending comments, i.e. those posted by the public via a captcha. I'm pretty sure that personal info needs to be restricted to a higher level than editors, aka moderators, because using Bowser as our privacy canary in the coal mine, can you imagine the brick he'd excrete if Frank could see his email address? How about now?

Looks like you guys found a hole in WordPress. It’s hard to imagine something so blatant slipping by, except that WP is really intended for single-blog use. OTOH it supports multiple authors and public commenting via captchas, so right away there’s a potential for disclosing email addresses.

I managed to close the hole by suppressing display of comments in the editor completely. That’s an imperfect solution because it means that editors can’t approve pending comments, i.e. those posted by the public via a captcha. I’m pretty sure that personal info needs to be restricted to a higher level than editors, aka moderators, because using Bowser as our privacy canary in the coal mine, can you imagine the brick he’d excrete if Frank could see his email address?

]]>