Page MenuHomePhabricator
Create Task
Maniphest T12284

Captchas on Special:Userlogin and bots
Closed, ResolvedPublic
Actions

Description

Author: EN.WP.ST47

Description:
Special:Userlogin uses a captcha to prevent automated logins, every failed login attempt results in a captcha being added for 5 minutes, This is an excellent security tool, but does cause some problems, especially with robots. Usually, there would be no problem, as a captcha is rare on most systems. However, on the toolserver, it is displayed surprisingly often, preventing all wikipedia bots from that source from logging in, and causing various issues. There are two ways around this, and they are:

1: Exempt the toolserver's IP from the captcha, simply do not set the captcha to activate on bad logins from toolserv. This would not be dangerous, as the toolserver is not publicly accessible, and would not be used to attack user's accounts.

2: Exempt all bots. Whatever the process is that verifies the captcha, first should check if the bot is flagged. This would allow external users to attack bot accounts, however.

3: Reactivate the login API for registered bots (those with the botflag). Also allows external users to attack bot accounts, but bot owners could be asked to 'opt-in' their bot for API login, and only bots on this list can login through this method. This would allow only operators who have been told to set a secure 12+ character password to use the API, which would cripple any password attacks. This opt-in would have to be done while logged in, to prevent malicious users adding a target account to the list. This has the bonus that non-flagged bots, both those intentionally unflagged and those in trial, can still use the process.

This bug prevents bot usage and testing, and should be corrected if possible.

Version: unspecified
Severity: normal
URL: http://en.wikipedia.org/Special:Userlogin

Details

Reference
bz10284

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:52 PM
bzimport added a project: WMF-General-or-Unknown.
bzimport set Reference to bz10284.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jun 15 2007, 10:59 PM
bzimport added a comment.Jun 16 2007, 1:02 AM

robchur wrote:

  1. Perhaps doable, although I don't know if we have a per-IP whitelist as coded.
  1. Not a good idea...a bot account has a little more leeway and is not so immediately noticeable if compromised.
  1. The login API was disabled because it was insecure. Re-enabling it won't happen again until this is fixed; there is potential for bot account passwords to be leaked.
bzimport added a comment.Jun 16 2007, 9:51 AM

e wrote:

(In reply to comment #1)

  1. Perhaps doable, although I don't know if we have a per-IP whitelist as

coded.

Is there any other way to disable CAPTCHA for the particular IP address only or will it need to be created?

bzimport added a comment.Jun 16 2007, 11:13 AM

EN.WP.ST47 wrote:

E: It would need to be created. I'm not at all fluent in PHP, however, I think it would be quite simple.

Rob:
You say that it would be hard to detect if it is compromised, what if we used a 'opt-in' list of bot operators who want to use it and have status that they have a 16+ alphanumeric password? That leaves about 8 octillion possibilities, and even it every person on the planet attacked it, each person would have a list of passwords ranking in the hundreds of trillions, and a bot can remember such a password, whereas a human cannot. Even if not, toolserver can probably be exempted safely, correct?

Huji added a comment.Jun 16 2007, 5:58 PM

Dan, that kind of inclusion criteria for the "opt-in" system doesn't seem to be feasible indeed. I may run a bot now with a 42 letter alphanumeric-digit-special-char password, opt in the list, then change my password to something more easy for myself, just because I'm too lazy to use that long password! I made an exagerated example, but I'm sure you know what I mean.

bzimport added a comment.Jun 17 2007, 1:51 AM

ayg wrote:

We need more flexible password strength requirements, as part of the core software, that are triggered whenever users change their password. Sysops and bots need more secure passwords, of course. Users with sufficiently secure passwords could be given the right to waive the captcha for themselves.

bzimport added a comment.Jun 17 2007, 2:13 AM

ayg wrote:

(In reply to comment #5)

We need more flexible password strength requirements, as part of the core
software

(Never mind the part about in the "core software", an extension is fine.)

demon added a comment.Jul 16 2007, 6:56 PM

(In reply to comment #1)

  1. Perhaps doable, although I don't know if we have a per-IP whitelist as

coded.

After reading through ConfirmEdit.php, it turns out we *do* have a whitelist, stored in an array titled $wgCaptchaWhitelistIP.

bzimport added a comment.Jul 16 2007, 7:18 PM

ayg wrote:

Now we do, although we didn't at the time comment #1 was made. (bug 10424) It's IP-specific, of course, not user-specific.

demon added a comment.Jul 16 2007, 7:35 PM

Implementing a user-specific one seems as though it'd be a bad idea, as Rob pointed out above with regards to accounts being compromised. However, as this request is in regards to the toolserver specifically, I think it could easily be added to the whitelist, solving this issue.

bzimport added a comment.Aug 31 2007, 3:21 PM

robchur wrote:

(Open a new bug for the specific shell request)

Catrope added a comment.Sep 6 2008, 9:52 PM

Closing as FIXED because the login API has been re-enabled ages ago, and nobody's replied to this bug for a year. Please REOPEN if this is still an issue.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL