Page MenuHomePhabricator
Create Task
Maniphest T190948

Suggestion for forgotten password lookup scheme
Closed, DeclinedPublic
Actions

Description

There is a bug with WikiMedia's forgotten password form when attempting to edit a page;

I entered my correct username but then made a typo on my email address. (1) The site should validate that a correct email address was provided as what pairs with a known username, this is not really a security danger and the site could use a "I am not a robot" Captcha, and, (2) the site should not disallow repeat requests within 24 hours, this is just silly.

Please consider my feedback and suggestion.

Thanks for listening, :)
Peter in San Diego CA USA

Event Timeline

Vid2vid created this task.Mar 28 2018, 5:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2018, 5:22 PM
Aklapper changed the task status from Open to Stalled.Mar 29 2018, 11:18 AM

Hi @Vid2vid, thanks for taking the time to report this and welcome to Phabricator!

Is this about Special:PasswordReset? That page says "Fill in one of the fields" (emphasis by me) so I don't understand the problem, I am afraid.
A clear list of steps to reproduce is welcome than filing tasks - see https://www.mediawiki.org/wiki/How_to_report_a_bug

Even if both a username and email address were needed, it really is a security danger. It allows anybody out there (like governments) to verify whether a user name is related to a specific email address which is also potentially used in other places on the internet. That is why MediaWiki after entering a username says "If there is an email address associated with this username, then a password reset email will be sent."

Aklapper closed this task as Declined.Apr 21 2018, 6:32 PM

Unfortunately closing this report as no further information has been provided.

@Vid2vid: After you have provided the information asked for and if this still happens, please set the status of this report back to "Open" via the Add Action...Change Status dropdown. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL