Page MenuHomePhabricator

A failed CAPTCHA during account creation doesn't block the account request
Open, Needs TriagePublic

Description

CAPTCHA is presented, but the results are ignored.

Patch incoming.

Event Timeline

Change 361283 had a related patch set uploaded (by MarkAHershberger; owner: MarkAHershberger):
[mediawiki/extensions/ConfirmAccount@master] Pay attention to CAPTCHA failures

https://gerrit.wikimedia.org/r/361283

Change 361283 abandoned by markahershberger:
Pay attention to CAPTCHA failures

https://gerrit.wikimedia.org/r/361283

I understand this has been a bug for 4 years. It's kind of alarming because this makes wikis still susceptible to spambot attacks that target Special:RequestAccount. Some spambots on our wikis have already started to take advantage of this. Before they do, this needs to be fixed or lots of wikis relying on this extension will fall prey to spambots. I understand that humans can filter through the spam accounts, but this extension doesn't offer a mass-reject tool. Furthermore, for those using SES for email on their wikis, this can drive up bounce rates to a dangerous point where they might risk being booted off of SES. Has any other work been done on this so far?

Looks like there's no code in Special:RequestAccount to even handle the checking of captchas. Furthermore ConfirmAccount doesn't expose any hooks, so it's difficult for ConfirmEdit to extend ConfirmAccount. I'm working on a temporary stopgap solution for hCaptcha since that is our priority need right now at MyWikis, but hope this is some useful food for thought.

Since this is a priority for MyWikis, I have written the first (very temporary) patch fixes for hCaptcha only (since it is the most effective captcha currently publicly available). It's not pretty but it'll do the job for anyone who needs to secure their wiki immediately.

Here are the changed files:

MediaWiki 1.35+:

MediaWiki 1.31:

Also posted at https://www.mediawiki.org/w/index.php?title=Topic:W449yd63slfossl2&topic_showPostId=w457lxnfmrb51gct#flow-post-w457lxnfmrb51gct

I don't expect these changes to be merged as a solution for this bug report but hope this helps.