Page MenuHomePhabricator

Use OAuth for https://tools.wmflabs.org/cluebotng/
Open, Needs TriagePublic

Description

Converting the tool to use OAuth would:

  • Eliminate the need for the use of reCaptcha which is an end-user privacy concern if not a Tool Labs Terms of Use/Privacy Policy violation.
    • The privacy concern here is that a WMF hosted web page is automatically including 3rd party assets (in this case an iframe).
  • Eliminate passing password data into the Tool Labs environment which is a general security concern (POSTed password data can not be guaranteed to be secure in the Tool Labs environment).
  • Eliminate local account creation without required end-user notice.

Event Timeline

bd808 created this task.May 15 2016, 4:22 AM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 15 2016, 4:22 AM

The required 'account creation' notice isn't there, and it's using reCaptcha so loading content from other sites without use consent, so all of this is a Tool Labs Terms of Use/Privacy Policy violation.

@DamianZaremba: Hi! Is this task still valid and should still be open? If yes, are you still working (or still plan to work) on this task? (If you do not plan to work on this task anymore, please remove yourself as assignee (via Add Action...Assign / Claim in the dropdown menu) so in theory others could work on it.) Thanks!

Aklapper renamed this task from Use OAuth for http://tools.wmflabs.org/cluebot/ to Use OAuth for https://tools.wmflabs.org/cluebotng/.Mar 6 2020, 11:28 AM
Aklapper removed DamianZaremba as the assignee of this task.
Aklapper added a project: Privacy.
Aklapper removed a subscriber: ZhouZ.

https://tools.wmflabs.org/cluebot/ does not exist anymore. https://tools.wmflabs.org/cluebotng/ does and lacks OAuth, so this issue is still valid.
However, it might be something to report to https://github.com/damianzaremba/cluebotng/issues instead, which I did in https://github.com/DamianZaremba/cluebotng/issues/13 .

Resetting task assignee due to inactivity.

JFishback_WMF moved this task from Incoming to Watching on the Privacy Engineering board.
JFishback_WMF moved this task from Intake to Backlog on the Privacy board.