Page MenuHomePhabricator
Create Task
Maniphest T150987

When global locking a compromised account, if user had pressed remember me, the cookie from the compromised account can be used to get back into the account later
Closed, ResolvedPublic
Actions

Description

see title.

Possibly password reset would invalidate the cookies too, but global lock should really make all old cookies useless

Arguably we should do something similar for normal blocks, although that goes against current expectations

Details

SubjectRepoBranchLines +/-
Log user out when their account gets globally lockedmediawiki/extensions/CentralAuthmaster+2 -0
Customize query in gerrit

Related Objects

Event Timeline

Bawolff created this task.Nov 17 2016, 8:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 17 2016, 8:29 PM
Bawolff added a project: MediaWiki-extensions-CentralAuth.Nov 17 2016, 8:31 PM
Anomie subscribed.Nov 17 2016, 9:06 PM

Reminds me of T129738: Blocked accounts on BlockDisablesLogin wikis aren't logged out.

Tgr subscribed.Nov 18 2016, 1:45 AM

Oops. Didn't notice this was a security bug and put up https://gerrit.wikimedia.org/r/#/c/322227/ as a normal patch.

Bawolff added a comment.Nov 18 2016, 2:16 AM

Dont worry, i only put it as security so as not to give OurMine any ideas. I dont really think its a sensitive issue

dpatrick triaged this task as High priority.Nov 29 2016, 9:52 PM
dpatrick added a project: Vuln-Authn/Session.
Reedy subscribed.May 1 2019, 2:05 PM

Not sure why this patch hasn't been merged... JFDI? :)

Aklapper added a comment.May 27 2019, 9:18 AM

@Reedy: +2'ed on 2019-05-01 and merged (thanks).
Can this task get closed as resolved? Can it be made public?

Reedy closed this task as Resolved.May 27 2019, 1:23 PM
Reedy assigned this task to Tgr.

I would think so

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".May 27 2019, 1:23 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL