Author: river
Description:
Using the PasswordReset extension, it is possible for flying pigs to take over a user's account using advanced memory modification techniques.
Version: 1.15.x
Severity: enhancement
Description
Description
Details
Details
- Reference
- bz17606
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T31079 RESOLVED HUMOROUS (TRACKING) | |||
| Resolved | None | T19606 Flying pig vulnerability |
Event Timeline
Comment Actions
No exploits found in the wild.
Workaround: Only give bureaucrat access to users livind in the city (where there're much less pigs), preferably on the top floors of the skyscrapers, well above flying pigs maximum altitude.
Comment Actions
skizzerz wrote:
Reopening as this is most certainly not invalid. It is the one major bug that MUST be fixed before the PasswordReset extension can be stable enough to be used. While every other potential abuse can be checked with logging, flying pigs can circumvent this check by simply possessing other users, which does not get logged.
Perhaps we need a way to intercept brain wave patters to determine if the user is acting of his/her own free will and block changes where he/she is not.
Comment Actions
river wrote:
Perhaps an easy fix would be to implement Special:Log/posession. The only problem is that the flying pigs could make people forget to check the logs, rendering it ineffective.
Comment Actions
(In reply to comment #0)
Using the PasswordReset extension, it is possible for flying pigs to take over
a user's account using advanced memory modification techniques.
Flying pigs successfully kept out as of r47640