Page MenuHomePhabricator
Create Task
Maniphest T11171

Wrong user's cookie
Closed, InvalidPublic
Actions

Description

Author: laugh

Description:
Hi ,
Trying to log in this morning I have found that my computer wanted to log in
under an unknown name. The user's name plus his password were clearly on my log
on field. After checking my system for viruses and similar I found a Cookie from
Wikipedia that contained somebody else's data and password and, sorry to say,
was so amateurish encoded that it took me less than a minute to see the other
users password in clear. Besides adressing this problem you might want to
contact User:Rough to advise him that his password has been compromised. This is
my at-home computer and has not been used by anyone but me for at least a year.
Besides my log-ons are slightly harder to crack than yours.
Take care
Alf

Version: unspecified
Severity: normal
OS: Windows XP
Platform: PC

Details

Reference
bz9171

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:37 PM
bzimport added a project: WMF-General-or-Unknown.
bzimport set Reference to bz9171.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Mar 5 2007, 2:46 PM
brooke added a comment.Mar 5 2007, 2:51 PM

Note that the cookies do not include passwords.

bzimport added a comment.Mar 5 2007, 10:28 PM

laugh wrote:

(In reply to comment #1)

Note that the cookies do not include passwords.

Maybe, than please explain why the password was in my log-in box and could be
decoded perfectly. You may say I am crazy but nobody except me has used this
computer for at least one year

bzimport added a comment.Mar 5 2007, 10:32 PM

ral315 wrote:

It's possible that someone used the computer and allowed the browser to save
password information; however, MediaWiki stores username, user ID, and a session
hash. None of these should include plaintext password information.

brooke added a comment.Mar 5 2007, 10:36 PM

The only time that MediaWiki fills in the password field is if you provide it;
it *shouldn't* ever turn up in a cookie, but I suppose hypothetically if you set
such a cookie there's a chance it might somehow sneak in there.

On the other hand, many browsers *do* have features to save fields and pre-fill
them, including passwords. You should double-check in your browser's setup that
that is the problem.

We have occasionally had odd problems with people getting other peoples' login
_sessions_ stuck in, probably due to problems with the proxy caching which are
hopefully resolved. That, again, should never show you a password.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL