Page MenuHomePhabricator
Create Task
Maniphest T15286

Small CAPTCHA challenge set
Open, LowPublicFeature
Actions

Description

Author: mike.lifeguard+bugs

Description:
This was only discovered by creating hundreds of accounts (one for each wiki), and is therefore perhaps not a real security concern.
There are sometimes repeated CAPTCHAs or words which shouldn't appear. Once a CAPTCHA is used, it should likely be binned for all wikis. On several occasions I've had the same CAPTCHA more than once.
The only example I can remember is alsopoet, which has been used two times, but there are others (I mentioned this previous to Brion in IRC).

Version: unspecified
Severity: enhancement

Details

Reference
bz13286

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:03 PM
bzimport added a project: WMF-General-or-Unknown.
bzimport set Reference to bz13286.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Mar 7 2008, 6:45 PM
brion added a comment.Mar 7 2008, 6:46 PM

Yeah, the current scheme is not very super and will be biased to some items depending on the existing random distribution. A nice queue with proper expiration and refreshing would be better.

tstarling added a comment.Mar 12 2008, 6:14 AM

There are 10,000 captchas, so coincidences are likely after ~sqrt(10000) = 100 attempts. That's not a break in itself, the break comes if the attacker is able to manually solve say 100 captchas, and then do a brute force attack with a success rate of 1%. But an OCR method may well give a better hit rate, so it might not be worth all that human effort to build the dictionary. A manually-constructed dictionary can easily be invalidated by regenerating the captchas, but an OCR method would require a change to the algorithm.

tstarling added a comment.Mar 12 2008, 6:23 AM

Changed title, the problem is the challenge set size, not the randomness. It's perfectly random.

Nemo_bis added a comment.Sep 17 2013, 9:49 AM

Not a MediaWiki, but a Wikimedia issue in FancyCaptcha images generation, and possibly a superseded one if Aaron produced the last set with a bigger dictionary. Aaron?

Aklapper added a comment.Nov 22 2013, 3:29 PM

Aaron: Could you answer comment 4 please?

Platonides added a comment.Nov 24 2013, 8:04 PM

There is an option in confirmedit ($wgCaptchaDeleteOnSolve) to delete the captchas after they are used. See bug 24730.

Nemo_bis added a project: OKR-Work.Mar 13 2016, 10:16 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2016, 10:16 AM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:01 AM
Aklapper removed a subscriber: wikibugs-l-list.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL