Page MenuHomePhabricator
Create Task
Maniphest T140167

Security Review of LoginNotify extension
Closed, ResolvedPublic
Actions

Description

Project Information

  • Name of tool/project: LoginNotify
  • Project home page: https://mediawiki.org/wiki/Extension:LoginNotify
  • Name of team requesting review: Security
  • Primary contact: @Bawolff
  • Target date for deployment: Whenever. Maybe end of July
  • Link to code repository / patchset: rELGN (or gerrit mediawiki/extension/LoginNotify.git)
  • Programming Language(s) Used: PHP

Note, since @Bawolff wrote the extension, someone who is not @Bawolff should review it.

Description of the tool/project

Give echo notifications whenever someone attempts to login but gives wrong password.

Extension tries to determine if the user is coming from a previously used address, and is more sensitive in that case.

Has option to send email notices any time someone logs in from an address not previously used.

Description of how the tool will be used at WMF

Allow people to detect if someone is trying to break into their account

For background see T11838

Has this project been reviewed before?

no

Working test environment

Standard MediaWiki extension. git clone the repo. wfLoadExtension( 'LoginNotify' );

Post-deployment

Security team I guess

Related Objects
Search...

Event Timeline

Bawolff created this task.Jul 12 2016, 9:52 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJul 12 2016, 9:52 PM
Bawolff added a parent task: T11838: Send notification to account owner on multiple unsuccessful login attempts.Jul 12 2016, 9:52 PM
dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Aug 11 2016, 8:34 PM
Addshore awarded a token.Sep 12 2016, 9:14 AM
Addshore subscribed.
Tgr mentioned this in T150903: Alert sre/security on many 2FA failures.Nov 18 2016, 3:51 AM
dpatrick mentioned this in E386: Security Review: LoginNotify.Nov 22 2016, 8:51 PM
Bawolff mentioned this in T107707: Login alert when user logs in from new machine.Nov 22 2016, 10:24 PM
Reedy updated the task description. (Show Details)Nov 22 2016, 10:32 PM
Reedy subscribed.

Not security, but some cleanup detailed in T151414

Florian subscribed.Nov 23 2016, 11:54 PM
Liuxinyu970226 subscribed.Nov 27 2016, 9:04 AM
Niharika mentioned this in T153335: Investigation: Notify on multiple unsuccessful login attempts.Dec 23 2016, 3:36 PM
kaldari added a project: MediaWiki-extensions-LoginNotify.Dec 28 2016, 8:05 PM
dpatrick subscribed.Jan 30 2017, 11:24 PM

@Bawolff No issues were found beyond those already discussed in other tickets. Once those are resolved, this extension can be deployed.

dpatrick moved this task from Scheduled to Waiting/Blocked on the deprecated-security-team-reviews board.Jan 30 2017, 11:25 PM
dpatrick moved this task from Waiting/Blocked to Waiting on the deprecated-security-team-reviews board.Jan 30 2017, 11:28 PM
kaldari closed this task as Resolved.Feb 15 2017, 11:29 PM
kaldari claimed this task.
kaldari subscribed.

Other tickets are closed now (T135270, T151414, T157105) so closing this one as well per dpatrick.

Liuxinyu970226 unsubscribed.Feb 16 2017, 4:20 AM
Addshore unsubscribed.Feb 16 2017, 9:43 AM
kaldari mentioned this in T165007: Deploy LoginNotify to Test Wikipedia.May 11 2017, 5:29 AM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-LoginNotify board.Aug 28 2017, 8:04 PM
sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:23 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptJul 9 2019, 8:23 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL