Page MenuHomePhabricator

A failed CAPTCHA during account creation doesn't block the account request
Closed, ResolvedPublic

Description

CAPTCHA is presented, but the results are ignored.

Patch incoming.

Event Timeline

Change 361283 had a related patch set uploaded (by MarkAHershberger; owner: MarkAHershberger):
[mediawiki/extensions/ConfirmAccount@master] Pay attention to CAPTCHA failures

https://gerrit.wikimedia.org/r/361283

Change 361283 abandoned by markahershberger:
Pay attention to CAPTCHA failures

https://gerrit.wikimedia.org/r/361283

I understand this has been a bug for 4 years. It's kind of alarming because this makes wikis still susceptible to spambot attacks that target Special:RequestAccount. Some spambots on our wikis have already started to take advantage of this. Before they do, this needs to be fixed or lots of wikis relying on this extension will fall prey to spambots. I understand that humans can filter through the spam accounts, but this extension doesn't offer a mass-reject tool. Furthermore, for those using SES for email on their wikis, this can drive up bounce rates to a dangerous point where they might risk being booted off of SES. Has any other work been done on this so far?

Looks like there's no code in Special:RequestAccount to even handle the checking of captchas. Furthermore ConfirmAccount doesn't expose any hooks, so it's difficult for ConfirmEdit to extend ConfirmAccount. I'm working on a temporary stopgap solution for hCaptcha since that is our priority need right now at MyWikis, but hope this is some useful food for thought.

Since this is a priority for MyWikis, I have written the first (very temporary) patch fixes for hCaptcha only (since it is the most effective captcha currently publicly available). It's not pretty but it'll do the job for anyone who needs to secure their wiki immediately.

Here are the changed files:

MediaWiki 1.35+:

MediaWiki 1.31:

Also posted at https://www.mediawiki.org/w/index.php?title=Topic:W449yd63slfossl2&topic_showPostId=w457lxnfmrb51gct#flow-post-w457lxnfmrb51gct

I don't expect these changes to be merged as a solution for this bug report but hope this helps.

Change 831136 had a related patch set uploaded (by Seb35; author: Seb35):

[mediawiki/extensions/ConfirmAccount@master] Do verify the captcha

https://gerrit.wikimedia.org/r/831136

Change 831136 merged by jenkins-bot:

[mediawiki/extensions/ConfirmAccount@master] Do verify the captcha

https://gerrit.wikimedia.org/r/831136

Seb35 claimed this task.
Seb35 added a subscriber: Seb35.

Fixed in current master, so it will be available in REL1_40+ (version 1.40+).

I updated the documentation on MediaWiki.org (diff).

@Seb35 Will it be possible to back-port this to MW 1.39 since this the the LTS branch? Will be cool I believe.

Change 879996 had a related patch set uploaded (by Seb35; author: Seb35):

[mediawiki/extensions/ConfirmAccount@REL1_39] Do verify the captcha

https://gerrit.wikimedia.org/r/879996

@Seb35 Will it be possible to back-port this to MW 1.39 since this the the LTS branch? Will be cool I believe.

It is prepared and I tested it, the patch is now in the review phase. (sorry, I did not see your message sooner :(

@Seb35 No problem at all. I believe we all have a lot of tasks on our plates. Thanks for doing the backport!

Change 879996 merged by jenkins-bot:

[mediawiki/extensions/ConfirmAccount@REL1_39] Do verify the captcha

https://gerrit.wikimedia.org/r/879996

Fixed in branch REL1_39+ (version 1.39+). I updated MW.org.