Page MenuHomePhabricator
Create Task
Maniphest T178746

Notification of failed login attempt triggered by Wikipedia Android app (beta)?
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

Is it possible that the use of the Wikipedia app for Android (beta) triggers a failed login attempt -- sometimes?

The claim is vague and I cannot reproduce it, but I have been suspecting for a while that there is a connection between the notifications of login failed attempts and my use of this app. Using the app doesn't trigger the notification always, but I would swear that whe I get that notification, I have been using the app (which I do sporadically).

To bring a bit more of vagueness, a possible factor to consider is the app user changing language when using the search. Again, I know it might not make much sense, but is the feeling I have. I will keep paying attention and reporting any facts or thoughts.

If someone is able to look at logs, User:QuimGil received a failed login notification on 2017-10-21 just a few minutes after doing a search to Catalan Wikipedia from the Android app (beta).

From merged task:

A bug report from wikimedia.org, https://www.mediawiki.org/wiki/Topic:U12oukyg4w1h6tnx
GPHemsley
"I have the Wikipedia mobile app installed on both my phone and my tablet (both Android devices), and I have seen a significant uptick in the last couple of months of notifications of a multitude of failed login attempts that seem to coincide with my having opened the app, perhaps with a less-than-reliable internet connection. Is this a known issue?"
I asked him to confirm whether these are failed attempt notifications, or successful from an unfamiliar device. He says he's getting failed notices, but successful seems like it would make more sense...

Related Objects

Event Timeline

QuimGil created this task.Oct 21 2017, 8:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 21 2017, 8:44 PM
QuimGil updated the task description. (Show Details)Oct 21 2017, 8:45 PM
NHarateh_WMF added a project: Android-app-Bugs.Oct 23 2017, 4:06 PM
NHarateh_WMF moved this task from Needs Triage to Bug Backlog on the Wikipedia-Android-App-Backlog board.
Niharika added a project: Community-Tech.Oct 23 2017, 8:34 PM
Niharika subscribed.

That's interesting. Thanks for reporting, Quim.

In theory, as long as you're logged in from the same IP and same device every time, this should not happen. I'm not sure if the app does something strange to cause such behavior. I will check if the behavior with iOS app is similar.

QuimGil added a comment.Oct 29 2017, 5:57 PM

Today it happened again, when QuimGil performed a search for Catalan Wikipedia from the app. I am going to try once per day from now on.

The app is logged in. I am connecting via mobile data.

Framawiki subscribed.Oct 31 2017, 11:31 PM
Framawiki added a comment.EditedNov 1 2017, 8:36 AM

Another report from a user receiving multiple notifications each time she logs on from her android https://fr.wikipedia.org/wiki/Sujet:U12ms36gt7djise4

Framawiki triaged this task as High priority.Nov 1 2017, 9:20 AM

I allow myself to increase the priority, since it potentially concerns all wikimedians using android app.

Niharika merged a task: T179518: Bug report: LoginNotify sending notifications after opening the Wikipedia app?.Nov 1 2017, 6:26 PM
Niharika updated the task description. (Show Details)
Niharika added a subscriber: DannyH.
Niharika moved this task from New & TBD Tickets to Needs Discussion on the Community-Tech board.Nov 1 2017, 6:29 PM
MaxSem subscribed.Nov 1 2017, 6:33 PM

He says he's getting failed notices, but successful seems like it would make more sense...

Looking at logs, this account is getting both login-fail-known and login-fail-new, the logged URL is /w/api.php?action=clientlogin&format=json&formatversion=2&rememberMe= in both cases.

Dbrant subscribed.Nov 1 2017, 7:06 PM

That does indeed look like the URL format that the Android app uses...

Dbrant added a comment.Nov 1 2017, 7:33 PM

Do these users have 2FA enabled? (and do the logs say anything about this?)

MaxSem added a comment.Nov 1 2017, 7:50 PM

No.

kaldari set the point value for this task to 5.Nov 1 2017, 11:32 PM
GPHemsley subscribed.Nov 4 2017, 10:56 PM
GPHemsley added a comment.Nov 4 2017, 10:58 PM

I can confirm that I use the beta Wikipedia Android app on both of my Android devices. When I visit Wikipedia on the web, I'm greeted with a new message of multiple failed attempted logins. (I also get a corresponding e-mail each time.)

Screenshot from 2017-11-04 18-57-23.png (881×502 px, 73 KB)

QuimGil added a comment.Nov 28 2017, 9:57 AM

(I didn't test every day as I promised but) Yesterday night it happened again. This time I was clicking a link from a Google Hangout chat in my mobile device to https://en.wikipedia.org/wiki/Wikipedia:Arbitration_Committee/Noticeboard. The link activated the Wikipedia app, and a few seconds after I got the email about the Failed Attempt.

kaldari moved this task from Needs Discussion to CL, QA, Data analysis backlog on the Community-Tech board.Nov 28 2017, 11:52 PM
Mholloway subscribed.Nov 30 2017, 12:34 AM
Mholloway added a comment.EditedNov 30 2017, 1:37 AM

I talked this over a bit with @MaxSem on IRC and he pointed me to this task. I no longer work on the Android team, so my information may be a bit out of date, but I think I've identified a plausible path for this to occur:

When a user launches the app and the app believes the user is logged in, it attempts to sync certain user preferences (stored in userjs) via the API and, in some cases, polls the API for user notifications. In both of these situations the app requests a CSRF token from the API via CsrfTokenClient. If the API returns an anonymous token (+\\) despite the app believing the user is logged in, the app will clear its cookies, retrieve the user's credentials from the system Account Manager, and attempt to log the user back in via the API (action=clientlogin) and retry the token request (source). This login attempt failing for some reason would produce the effect of the user receiving a failed login notification shortly after launching the app, which is what it sounds like @QuimGil and others are seeing.

I'm not sure offhand why this login would fail, but in digging into this issue I did notice a rather smelly bit of code in which the app requests the current user accounts in the system associated with the app and simply takes the first one off the returned list (source). It might not be safe to assume that the first item returned is the one we want, although without further investigation I'm not sure how we'd get into a state in which multiple accounts are registered.

GPHemsley added a comment.Dec 2 2017, 9:05 PM

I see this more often when I'm away from home... Is it possible that the app is doing some sort of location/network checking at the same time? Or perhaps has not verified that it has a working Internet connection?

Dbrant added a comment.Dec 6 2017, 2:35 PM

We're still not able to reproduce this behavior ourselves, but @Mholloway's description is essentially correct:

  • The app requests a CSRF token (for a variety of reasons)
  • If the app believes that the user is logged in, but it receives an anonymous token, it will re-login the current user with credentials stored in Android's AccountManager.

Perhaps the API is logging an error if it receives a stale cookie? Or does it care if the user suddenly starts making requests from a different IP?

MusikAnimal subscribed.Dec 7 2017, 8:10 PM

Someone reported via OTRS (ticket 2017120510008296) that they were getting a lot of failed login notifications, and they are using the Android app. I don't know for sure if the app was the culprit but I thought I'd let you know in case you wanted to talk to them (you'll need OTRS access, though).

Niharika added a comment.Dec 8 2017, 4:59 AM
In T178746#3816121, @Dbrant wrote:

We're still not able to reproduce this behavior ourselves, but @Mholloway's description is essentially correct:

  • The app requests a CSRF token (for a variety of reasons)
  • If the app believes that the user is logged in, but it receives an anonymous token, it will re-login the current user with credentials stored in Android's AccountManager.

Perhaps the API is logging an error if it receives a stale cookie? Or does it care if the user suddenly starts making requests from a different IP?

Failed login attempt notifications are issued if the login is from a new IP (i.e. an IP that is not associated with that user in the CheckUser table). LoginNotify also sets a cookie but that wouldn't work on the app, so it's likely the IP address problem.

TBolliger moved this task from CL, QA, Data analysis backlog to Bug backlog on the Community-Tech board.Feb 13 2018, 10:48 PM
TBolliger subscribed.

Is this still happening? Is this reproducible? Can we close this?

Dbrant closed this task as Resolved.Jun 21 2018, 2:52 PM
Dbrant claimed this task.

I'm going to (boldly) close this task. If anyone still sees issues with failed login notifications while using the latest version of the app, please reopen with further descriptions.

Reedy moved this task from Backlog to Done on the MediaWiki-extensions-LoginNotify board.Apr 4 2020, 2:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL