Notification of failed login attempt triggered by Wikipedia Android app (beta)?
Open, HighPublic5 Story Points

Description

Is it possible that the use of the Wikipedia app for Android (beta) triggers a failed login attempt -- sometimes?

The claim is vague and I cannot reproduce it, but I have been suspecting for a while that there is a connection between the notifications of login failed attempts and my use of this app. Using the app doesn't trigger the notification always, but I would swear that whe I get that notification, I have been using the app (which I do sporadically).

To bring a bit more of vagueness, a possible factor to consider is the app user changing language when using the search. Again, I know it might not make much sense, but is the feeling I have. I will keep paying attention and reporting any facts or thoughts.

If someone is able to look at logs, User:QuimGil received a failed login notification on 2017-10-21 just a few minutes after doing a search to Catalan Wikipedia from the Android app (beta).

From merged task:

A bug report from wikimedia.org, https://www.mediawiki.org/wiki/Topic:U12oukyg4w1h6tnx
GPHemsley
"I have the Wikipedia mobile app installed on both my phone and my tablet (both Android devices), and I have seen a significant uptick in the last couple of months of notifications of a multitude of failed login attempts that seem to coincide with my having opened the app, perhaps with a less-than-reliable internet connection. Is this a known issue?"
I asked him to confirm whether these are failed attempt notifications, or successful from an unfamiliar device. He says he's getting failed notices, but successful seems like it would make more sense...

QuimGil created this task.Oct 21 2017, 8:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 21 2017, 8:44 PM
QuimGil updated the task description. (Show Details)Oct 21 2017, 8:45 PM
Niharika added a subscriber: Niharika.

That's interesting. Thanks for reporting, Quim.

In theory, as long as you're logged in from the same IP and same device every time, this should not happen. I'm not sure if the app does something strange to cause such behavior. I will check if the behavior with iOS app is similar.

Today it happened again, when QuimGil performed a search for Catalan Wikipedia from the app. I am going to try once per day from now on.

The app is logged in. I am connecting via mobile data.

Framawiki added a comment.EditedNov 1 2017, 8:36 AM

Another report from a user receiving multiple notifications each time she logs on from her android https://fr.wikipedia.org/wiki/Sujet:U12ms36gt7djise4

Framawiki triaged this task as High priority.Nov 1 2017, 9:20 AM

I allow myself to increase the priority, since it potentially concerns all wikimedians using android app.

MaxSem added a subscriber: MaxSem.Nov 1 2017, 6:33 PM

He says he's getting failed notices, but successful seems like it would make more sense...

Looking at logs, this account is getting both login-fail-known and login-fail-new, the logged URL is /w/api.php?action=clientlogin&format=json&formatversion=2&rememberMe= in both cases.

Dbrant added a subscriber: Dbrant.Nov 1 2017, 7:06 PM

That does indeed look like the URL format that the Android app uses...

Dbrant added a comment.Nov 1 2017, 7:33 PM

Do these users have 2FA enabled? (and do the logs say anything about this?)

kaldari set the point value for this task to 5.Nov 1 2017, 11:32 PM

I can confirm that I use the beta Wikipedia Android app on both of my Android devices. When I visit Wikipedia on the web, I'm greeted with a new message of multiple failed attempted logins. (I also get a corresponding e-mail each time.)

(I didn't test every day as I promised but) Yesterday night it happened again. This time I was clicking a link from a Google Hangout chat in my mobile device to https://en.wikipedia.org/wiki/Wikipedia:Arbitration_Committee/Noticeboard. The link activated the Wikipedia app, and a few seconds after I got the email about the Failed Attempt.

Mholloway added a comment.EditedNov 30 2017, 1:37 AM

I talked this over a bit with @MaxSem on IRC and he pointed me to this task. I no longer work on the Android team, so my information may be a bit out of date, but I think I've identified a plausible path for this to occur:

When a user launches the app and the app believes the user is logged in, it attempts to sync certain user preferences (stored in userjs) via the API and, in some cases, polls the API for user notifications. In both of these situations the app requests a CSRF token from the API via CsrfTokenClient. If the API returns an anonymous token (+\\) despite the app believing the user is logged in, the app will clear its cookies, retrieve the user's credentials from the system Account Manager, and attempt to log the user back in via the API (action=clientlogin) and retry the token request (source). This login attempt failing for some reason would produce the effect of the user receiving a failed login notification shortly after launching the app, which is what it sounds like @QuimGil and others are seeing.

I'm not sure offhand why this login would fail, but in digging into this issue I did notice a rather smelly bit of code in which the app requests the current user accounts in the system associated with the app and simply takes the first one off the returned list (source). It might not be safe to assume that the first item returned is the one we want, although without further investigation I'm not sure how we'd get into a state in which multiple accounts are registered.

I see this more often when I'm away from home... Is it possible that the app is doing some sort of location/network checking at the same time? Or perhaps has not verified that it has a working Internet connection?

Dbrant added a comment.Dec 6 2017, 2:35 PM

We're still not able to reproduce this behavior ourselves, but @Mholloway's description is essentially correct:

  • The app requests a CSRF token (for a variety of reasons)
  • If the app believes that the user is logged in, but it receives an anonymous token, it will re-login the current user with credentials stored in Android's AccountManager.

Perhaps the API is logging an error if it receives a stale cookie? Or does it care if the user suddenly starts making requests from a different IP?

Someone reported via OTRS (ticket 2017120510008296) that they were getting a lot of failed login notifications, and they are using the Android app. I don't know for sure if the app was the culprit but I thought I'd let you know in case you wanted to talk to them (you'll need OTRS access, though).

We're still not able to reproduce this behavior ourselves, but @Mholloway's description is essentially correct:

  • The app requests a CSRF token (for a variety of reasons)
  • If the app believes that the user is logged in, but it receives an anonymous token, it will re-login the current user with credentials stored in Android's AccountManager. Perhaps the API is logging an error if it receives a stale cookie? Or does it care if the user suddenly starts making requests from a different IP?

Failed login attempt notifications are issued if the login is from a new IP (i.e. an IP that is not associated with that user in the CheckUser table). LoginNotify also sets a cookie but that wouldn't work on the app, so it's likely the IP address problem.

TBolliger added a subscriber: TBolliger.

Is this still happening? Is this reproducible? Can we close this?