Page MenuHomePhabricator
Create Task
Maniphest T217613

Audit anti-abuse API calls and determine if they should be publicly visible
Open, LowPublic
Actions

Description

Take a look at these publicly available APIs and see how much information we give away without authentication.

Write a proposal of which should be restricted to trusted ("privileged") users only.

Thanks to @MER-C for this suggestion

Event Timeline

TBolliger created this task.Mar 5 2019, 12:26 AM
Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptMar 5 2019, 12:26 AM
Krenair subscribed.EditedMar 5 2019, 12:28 AM

dunno about antispoof (it probably just runs some public normalisation rules against the public user list?) but I expect the first two are just convenience validation against https://en.wikipedia.org/wiki/MediaWiki:Titleblacklist and https://en.wikipedia.org/wiki/MediaWiki:Spam-blacklist

MER-C added a comment.EditedMar 5 2019, 7:50 PM

Yes, that is true. But I argue that:

  1. most of the title blacklist should not be publicly visible for that exact reason
  2. the title blacklist should be private anyway to stop harassing usernames being broadcast publicly
  3. the whole point of the anti-abuse effort is to make it as inconvenient as possible - i.e. force them to go through the GUI and test them one by one, tripping up rate limits and triggering CAPTCHAs as they go along. After all registering harassing usernames requires validating them against the blacklist.

The same logic applies to T212718 - we no longer give this information away to non-autoconfirmed and logged out users who use the GUI, so why should we do so via the API?

Platonides subscribed.Mar 5 2019, 8:29 PM

Titleblacklist, spamblacklist and antispoof use data from public wiki pages.
One could manually parse the wikitext, extract the regex and apply them locally.

Thus, I don't see the need to restrict these API calls.

TBolliger moved this task from Product/Tech backlog to Triage/To be Estimated on the Anti-Harassment board.Mar 6 2019, 11:24 PM
TBolliger triaged this task as Low priority.Mar 7 2019, 6:39 PM
TBolliger moved this task from Triage/To be Estimated to Product/Tech backlog on the Anti-Harassment board.

If we're going to remove this from the API we should also remove them from the public wiki page, and obfuscate them to some degree

DannyS712 subscribed.Aug 10 2019, 11:33 AM
Niharika added a project: AHT-Roadmap.Apr 15 2021, 1:52 PM
Niharika removed a project: AHT-Roadmap.Apr 29 2021, 5:32 PM
TAdeleye_WMF edited projects, added Trust and Safety Product Team; removed Anti-Harassment.May 14 2024, 4:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits