Alex over at Question-Defense posted an article in March about stopping WordPress User Enumeration. It turns out that in reality, he not only wanted a more formal patch for this vulnerability but I also knew of another user enumeration vulnerability in WordPress. After hanging out for a bit at Blackhat he and I decided to plop down and come up with a formal patch to address these vulnerabilities. If you want to read the full article on this post check out: Block WordPress User Enumeration, Secure WordPress Against Hacking Grab the patch after the fold:
Responsible disclosure is something I firmly believe in and I think it’s something all security researchers should practice. Recently I contacted T-Mobile about multiple vulnerabilities in their website and I’d like to talk about my experience with them to show that not only does responsible disclosure work, it is highly effective.
A few weeks ago while checking out the Shazam.com website I decided, “Hey, I wonder if I can find any small vulnerabilities in Shazam.” I thought of this because I had not heard of their security posture recently despite the fact that they are such a large website. I soon found myself a nice little XSS vulnerability in their search functionality.