Page MenuHomePhabricator
Create Task
Maniphest T168783

A failed CAPTCHA during account creation doesn't block the account request
Open, Needs TriagePublic
Actions

Description

CAPTCHA is presented, but the results are ignored.

Patch incoming.

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/ConfirmAccountmaster+2 -0Pay attention to CAPTCHA failures
Customize query in gerrit

Event Timeline

MarkAHershberger created this task.Jun 25 2017, 5:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 25 2017, 5:45 AM
gerritbot added a subscriber: gerritbot.Jun 25 2017, 5:52 AM

Change 361283 had a related patch set uploaded (by MarkAHershberger; owner: MarkAHershberger):
[mediawiki/extensions/ConfirmAccount@master] Pay attention to CAPTCHA failures

https://gerrit.wikimedia.org/r/361283

gerritbot added a project: Patch-For-Review.Jun 25 2017, 5:52 AM
MarkAHershberger added subscribers: Paladox, aaron.Jun 25 2017, 4:58 PM
gerritbot added a comment.Nov 24 2019, 1:51 AM

Change 361283 abandoned by markahershberger:
Pay attention to CAPTCHA failures

https://gerrit.wikimedia.org/r/361283

Maintenance_bot removed a project: Patch-For-Review.Nov 26 2019, 11:48 AM
MarkAHershberger removed MarkAHershberger as the assignee of this task.May 20 2020, 6:43 PM
JeffreyWang added a subscriber: JeffreyWang.Feb 25 2021, 5:53 PM
JeffreyWang added a comment.EditedFeb 25 2021, 5:56 PM

I understand this has been a bug for 4 years. It's kind of alarming because this makes wikis still susceptible to spambot attacks that target Special:RequestAccount. Some spambots on our wikis have already started to take advantage of this. Before they do, this needs to be fixed or lots of wikis relying on this extension will fall prey to spambots. I understand that humans can filter through the spam accounts, but this extension doesn't offer a mass-reject tool. Furthermore, for those using SES for email on their wikis, this can drive up bounce rates to a dangerous point where they might risk being booted off of SES. Has any other work been done on this so far?

JeffreyWang added a comment.Feb 26 2021, 1:32 AM

Looks like there's no code in Special:RequestAccount to even handle the checking of captchas. Furthermore ConfirmAccount doesn't expose any hooks, so it's difficult for ConfirmEdit to extend ConfirmAccount. I'm working on a temporary stopgap solution for hCaptcha since that is our priority need right now at MyWikis, but hope this is some useful food for thought.

JeffreyWang added a comment.Feb 26 2021, 4:00 AM

Since this is a priority for MyWikis, I have written the first (very temporary) patch fixes for hCaptcha only (since it is the most effective captcha currently publicly available). It's not pretty but it'll do the job for anyone who needs to secure their wiki immediately.

Here are the changed files:

MediaWiki 1.35+:

MediaWiki 1.31:

Also posted at https://www.mediawiki.org/w/index.php?title=Topic:W449yd63slfossl2&topic_showPostId=w457lxnfmrb51gct#flow-post-w457lxnfmrb51gct

I don't expect these changes to be merged as a solution for this bug report but hope this helps.

Vedmaka added a subscriber: Vedmaka.Jun 17 2021, 2:25 PM
Kghbln awarded a token.Oct 7 2021, 7:47 PM
Kghbln added a subscriber: Kghbln.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL