Skip to:
Content
Pages
Categories
Search
Top
Bottom

Security flaw in regards to BuddyPress member username/display name?

  • Avatar of BlinkyBill01
    BlinkyBill01
    Participant

    @blinkybill01

    Using the Display Name, in BuddyPress Profile Fields, does not save the information to the WordPress User Edit section.

    When I’m using BuddyPress and I edit a member profile name, it does not save and display the new name. It only displays the name that the user (or I) logs in with. No matter how many times I edit the profile name in the BuddyPress profile settings, it will not save.

    However, when I edit the User via the WordPress Edit User, I can save the name correctly so that it doesn’t display the login name. But, if I go back and edit the BuddyPress Profile settings to change the name again, it reverts back to the login name and will not save or maintain the previous changes.

    This is not secure/safe as everyone can see the login name and only have to guess the password to login to other peoples accounts.

    Is BuddyPress, by default, not supposed to show a “Nickname” rather only show the login name? I’ve been trying to figure this out for hours and my brain is finally fried, so I figured to post this here.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Avatar of @ChrisClayton
    @ChrisClayton
    Participant

    @chrisclayton

    i think calling it a ‘security flaw’ is going abit overboard… most of the top 100 websites on alexa’s topsites list have your login name displayed publicly. (eg. if i gave you my gmail address so we could keep in contact, all you need to do is figure out/guess my password and hack my account.) but anyways,

    Correct me if i misread what your saying, but it sounds like this might be the problem your experiencing – http://buddypress.trac.wordpress.org/ticket/3725 (it’s being fixed in buddypress 1.6)

    Avatar of BlinkyBill01
    BlinkyBill01
    Participant

    @blinkybill01

    Yes, that’s it Chris. I may have jumped ahead and called it a security flaw incorrectly. What I meant was that, if this bug was actually working as intended, it didn’t allow members to change their display name, which could cause people to think that it was a security issue. That people wouldn’t join if their login was visible. Since the WordPress allows a Nickname to be visible and that BuddyPress didn’t, that some could see it as a flaw.

    Since it it being fixed, it showed me that it wasn’t intended and that someone else knew of this and was working to fix it.

    Thanks for the response :)

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.