Page MenuHomePhabricator
Create Task
Maniphest T135360

AbuseFilter reveals connection between accounts on login-autocreate
Closed, ResolvedPublic
Actions

Description

Steps to reproduce (on a wikifarm with some single sign-on systems that uses autocreation, such as CentralAuth):

  1. create accounts A and B
  2. logged in as A, go to a wiki where B has no local account
  3. without logging out first, log in as B

The AbuseFilter log event will be attributed to user A and the account name variable will be B, exposing the fact that the two accounts are owned by the same user.

Log record example: http://en.wikipedia.beta.wmflabs.org/wiki/Special:AbuseLog/27870

Event Timeline

Tgr created this task.May 16 2016, 8:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2016, 8:46 AM
Tgr updated the task description. (Show Details)May 16 2016, 8:50 AM
Tgr added a project: AbuseFilter.May 16 2016, 9:02 AM
Tgr updated the task description. (Show Details)
Tgr added a comment.May 16 2016, 11:43 AM

https://gerrit.wikimedia.org/r/#/c/288902/ will make autocreations log the same user as created and creator.

Bawolff added a project: Vuln-Infoleak.May 16 2016, 12:23 PM
csteipp triaged this task as Medium priority.May 17 2016, 8:50 PM
Tgr added a comment.Jul 28 2016, 10:36 PM
In T135360#2296799, @Tgr wrote:

https://gerrit.wikimedia.org/r/#/c/288902/ will make autocreations log the same user as created and creator.

which was reverted due to unrelated difficulties and then merged as https://gerrit.wikimedia.org/r/#/c/292606/ and cherry-picked to 1.27. So this should be fixed for MW versions newer than 1.26.

Tgr added a subscriber: dpatrick.Sep 18 2016, 6:04 AM

@dpatrick should we make this task public (and close it as resolved)? The info leak is for 1.26 and older only, and very hard to trigger. I doubt we want to spend any effort on fixing it.

Aklapper added a comment.Apr 26 2017, 6:30 PM

@dpatrick: Any feedback on the question in the last comment?

Aklapper added a comment.Jan 3 2018, 12:30 PM
In T135360#2646114, @Tgr wrote:

@dpatrick should we make this task public (and close it as resolved)? The info leak is for 1.26 and older only, and very hard to trigger. I doubt we want to spend any effort on fixing it.

Ping. Any opinion from the Security team? ^

Platonides subscribed.Nov 21 2018, 12:00 AM

1.26 has been EOLed for two years now. Not to mention that the single sign-on requisite means this would only have affected a tiny fraction of installs. Closing and publishing.

Platonides closed this task as Resolved.Nov 21 2018, 12:01 AM
Platonides changed the visibility from "Custom Policy" to "Public (No Login Required)".
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL