Page MenuHomePhabricator
Create Task
Maniphest T197156

Creating OAuth owner-only consumers should require elevated security
Closed, DuplicatePublic
Actions

Description

When someone compromises an account without obtaining the password, owner-only OAuth consumers can be used to create a permanent backchannel to that account (much like bot passwords). Doing that should require elevated security (reauthentication).

Details

SubjectRepoBranchLines +/-
Require reauthentication for proposing or managing consumersmediawiki/extensions/OAuthmaster+68 -1
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Jun 13 2018, 5:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 13 2018, 5:12 PM
Tgr mentioned this in T197160: All security-sensitive MediaWiki functionality should require elevated security.Jun 13 2018, 5:22 PM
Tgr added a parent task: T197160: All security-sensitive MediaWiki functionality should require elevated security.Jun 13 2018, 5:24 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
Tgr mentioned this in T208008: Consumer owner-only oauth proposals should require reauth.Oct 26 2018, 5:44 PM
Tgr closed this task as a duplicate of T208008: Consumer owner-only oauth proposals should require reauth.Nov 15 2018, 7:38 PM
Tgr removed a parent task: T197160: All security-sensitive MediaWiki functionality should require elevated security.
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
gerritbot added a comment.Jul 10 2020, 3:11 PM

Change 611342 had a related patch set uploaded (by Gergő Tisza; owner: Anomie):
[mediawiki/extensions/OAuth@master] Require reauthentication for proposing or managing consumers

https://gerrit.wikimedia.org/r/611342

gerritbot added a project: Patch-For-Review.Jul 10 2020, 3:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL