Page MenuHomePhabricator

Remove capture feature from Special:PasswordReset
Closed, ResolvedPublic

Description

Allows to send any user a new password but also see what it is (ie. allows access to any user account). Disabled by default and on Wikimedia wikis, but if some wiki enables it, that's a security catastrophe waiting to happen.

Event Timeline

Tgr created this task.Nov 17 2016, 5:43 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 17 2016, 5:43 AM

I already have a patch for this in gerrit

Change 321838 had a related patch set uploaded (by Gergő Tisza):
Remove passwordreset capture feature

https://gerrit.wikimedia.org/r/321838

Change 321838 merged by jenkins-bot:
Remove passwordreset capture feature

https://gerrit.wikimedia.org/r/321838

Tgr closed this task as Resolved.Nov 24 2016, 2:48 AM
Tgr assigned this task to Bawolff.