Page MenuHomePhabricator

AbuseFilter reveals connection between accounts on login-autocreate
Closed, ResolvedPublic

Description

Steps to reproduce (on a wikifarm with some single sign-on systems that uses autocreation, such as CentralAuth):

  1. create accounts A and B
  2. logged in as A, go to a wiki where B has no local account
  3. without logging out first, log in as B

The AbuseFilter log event will be attributed to user A and the account name variable will be B, exposing the fact that the two accounts are owned by the same user.

Log record example: http://en.wikipedia.beta.wmflabs.org/wiki/Special:AbuseLog/27870

Event Timeline

Tgr created this task.May 16 2016, 8:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2016, 8:46 AM
Tgr updated the task description. (Show Details)May 16 2016, 8:50 AM
Tgr updated the task description. (Show Details)
Tgr added a comment.May 16 2016, 11:43 AM

https://gerrit.wikimedia.org/r/#/c/288902/ will make autocreations log the same user as created and creator.

csteipp triaged this task as Normal priority.May 17 2016, 8:50 PM
Tgr added a comment.Jul 28 2016, 10:36 PM

https://gerrit.wikimedia.org/r/#/c/288902/ will make autocreations log the same user as created and creator.

which was reverted due to unrelated difficulties and then merged as https://gerrit.wikimedia.org/r/#/c/292606/ and cherry-picked to 1.27. So this should be fixed for MW versions newer than 1.26.

@dpatrick should we make this task public (and close it as resolved)? The info leak is for 1.26 and older only, and very hard to trigger. I doubt we want to spend any effort on fixing it.

@dpatrick: Any feedback on the question in the last comment?

@dpatrick should we make this task public (and close it as resolved)? The info leak is for 1.26 and older only, and very hard to trigger. I doubt we want to spend any effort on fixing it.

Ping. Any opinion from the Security team? ^

1.26 has been EOLed for two years now. Not to mention that the single sign-on requisite means this would only have affected a tiny fraction of installs. Closing and publishing.

Platonides closed this task as Resolved.Nov 21 2018, 12:01 AM
Platonides changed the visibility from "Custom Policy" to "Public (No Login Required)".