Security Review of LoginNotify extension
Closed, ResolvedPublic


Project Information

  • Name of tool/project: LoginNotify
  • Project home page:
  • Name of team requesting review: Security
  • Primary contact: @Bawolff
  • Target date for deployment: Whenever. Maybe end of July
  • Link to code repository / patchset: rELGN (or gerrit mediawiki/extension/LoginNotify.git)
  • Programming Language(s) Used: PHP

Note, since @Bawolff wrote the extension, someone who is not @Bawolff should review it.

Description of the tool/project

Give echo notifications whenever someone attempts to login but gives wrong password.

Extension tries to determine if the user is coming from a previously used address, and is more sensitive in that case.

Has option to send email notices any time someone logs in from an address not previously used.

Description of how the tool will be used at WMF

Allow people to detect if someone is trying to break into their account

For background see T11838

Has this project been reviewed before?


Working test environment

Standard MediaWiki extension. git clone the repo. wfLoadExtension( 'LoginNotify' );


Security team I guess

Bawolff created this task.Jul 12 2016, 9:52 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJul 12 2016, 9:52 PM
Addshore added a subscriber: Addshore.
Reedy updated the task description. (Show Details)Nov 22 2016, 10:32 PM
Reedy added a subscriber: Reedy.

Not security, but some cleanup detailed in T151414

@Bawolff No issues were found beyond those already discussed in other tickets. Once those are resolved, this extension can be deployed.

kaldari closed this task as Resolved.Feb 15 2017, 11:29 PM
kaldari claimed this task.
kaldari added a subscriber: kaldari.

Other tickets are closed now (T135270, T151414, T157105) so closing this one as well per dpatrick.

Addshore removed a subscriber: Addshore.Feb 16 2017, 9:43 AM