Page MenuHomePhabricator

Extension:GlobalBlocking should prevent any way of local account creation, attachment included
Open, LowPublic

Description

Today a noxious IP-hopping vandal managed to register an account on Meta-wiki from a (globally blocked) IP which was not blocked locally. Subsequently, using (then anon-only) blocked range 195.154.0.0/16, the vandalistic account was attached to multiple Wikimedia projects in spite of existing global block. Extension:GlobalBlocking should deter creation of local accounts from blocked IPs, including anon-only blocked IPs – the same behaviour as one of the core (local) IP block.

The currently deployed version of GlobalBlocking is (8515958).

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 4 2018, 1:38 PM
Bawolff added subscribers: TBolliger, dbarratt, Bawolff.

Is this in scope of Anti-Harassment team?

Restricted Application added a subscriber: MGChecker. · View Herald TranscriptJul 9 2018, 11:34 PM
Bawolff triaged this task as Low priority.Jul 9 2018, 11:35 PM

[This is considered a low priority in the context of security issues which we prioritize based on severity. My marking it as low should not be taken to mean i think its unimportant or anything like that]

TBolliger moved this task from Untriaged to Backlog on the Anti-Harassment board.Jul 18 2018, 3:59 PM

The Anti-Harassment Tools team will keep track of this but cannot commit to work on it until it becomes a more urgent matter. (I agree with the Low priority, relative to other work.)

At the moment there is no concept of global blocks for usernames, just global locks. We'd need to solve for how to represent the autoblock if there is no referenceable block on a wiki.