Page MenuHomePhabricator
Create Task
Maniphest T196329

Password reset request throttling/limit can be bypassed by going to another site
Closed, DuplicatePublic
Actions

Description

Imagine the following situation:

  • a) You request a password reset at dewiki
  • b) The request was made in abusive behaviour
  • c) You are trying to send another request
  • d) You recive the msg that you are limited to one request every 24 hours
  • e) You try it at enwiki

and there, it works...

Happened today.

Event Timeline

Luke081515 created this task.Jun 4 2018, 6:23 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 4 2018, 6:23 AM
Aklapper renamed this task from Password reset limits can easily be bypassed to Password reset request throttling/limit can be bypassed by going to another site.Jun 4 2018, 10:32 AM
Aklapper added projects: MediaWiki-Core-AuthManager, WMF-General-or-Unknown.
Tgr changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 28 2019, 1:58 AM
Tgr closed this task as a duplicate of T19487: mail password per user rate limit should be global for SUL accounts.
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL