AntiSpoof should check against CentralAuth database
Closed, ResolvedPublic


Currently, there is a MAJOR leak in the anti spoof system. In order to create an account name similar to that of an existing user (even if the user already has an SUL, which they probably mostly do), all you need to do is find a Wiki project where the user doesn't have an account yet (probably easy to guess, or else it can be checked), create a similar account name (this is an SUL), and then log in where the active user is active - and you have spoofed him successfully.

Version: unspecified
Severity: enhancement


bzimport set Reference to bz15545.
bzimport added a subscriber: Unknown Object (MLST).

soxred93 wrote:

Changing to MediaWiki extensions, as AntiSpoof is an extension

soxred93 wrote:

*** Bug 15841 has been marked as a duplicate of this bug. ***

mike.lifeguard+bugs wrote:

Updated summary.

  • Bug 19869 has been marked as a duplicate of this bug. ***

Duping against bug 28747 as that's where the work has been done

  • This bug has been marked as a duplicate of bug 28747 ***

Add Comment