You learn something new with every WP plugin

Hi and thank you for the feedback.

I think there’s a confusion here. Exposing vital information means that other users/visitors can see your information and not that while being logged in, you see your own, which by the way, it’s normal.

Basically Clicky has the capability to attach users and e-mails to sessions. To do so, if a user is logged in and the features are enabled, a username and email is sent to clicky.com as a tracking code variable. Here’s probably what’s generates the confusion. Seeing the username on the source page you thought everyone else sees your data. This is not true, because everyone logged in will see his own data and logged out users none.

In the documentation page of the plugin you can find some details about it:

If you check the Track Usernames box, the plugin will attach the username of a logged in user to its session. Additional data, like e-mail addresses, can be attached to a Clicky Analytics session using the Track Emails option.

Basically, this is done by attaching those to the tracking code, while being logged in. As well, you have full control over these features. You can disable or enable them as you wish.

As a final note, if you do find a vulnerability in the future, vulnerabilities shouldn’t be ever disclosed on public. Here’s how vulnerabilities should be handled. Since it’s so sensitive, a vulnerability needs to be treated responsible and as private as possible.

• This reply was modified 7 years, 2 months ago by Alin Marcu.