Page MenuHomePhabricator

Should https://meta.wikimedia.org/wiki/Special:Contact/Stewards require a login
Open, MediumPublic

Description

Someone sent a message to the Stewards using https://meta.wikimedia.org/wiki/Special:Contact/Stewards pretending to be another user. The legitimate party was surprised to get an emailed reply about the fake submission.

The reporting person's (the legitimate user's) suggestion is that https://meta.wikimedia.org/wiki/Special:Contact/Stewards should require the submitter to be logged in, or the message to the Stewards should indicate that it wasn't sent by a logged in user.

Does anything need to be done with this?

Related Objects

Event Timeline

Dsharpe created this task.May 21 2019, 8:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 21 2019, 8:09 PM

Locked users can't use the form if we require a login...

Its interesting that the legitimate party got the response - do we set reply-to to the user-provided email?
Even as a logged in user I appear to be able to go to that form and set a different email address. Maybe it should be made clear that the email provided is unverified.

revi added a subscriber: revi.May 22 2019, 3:41 AM

Locked users can't use the form if we require a login...

Our OTRS queue address is public and advertised via Stewards requests pages and other places anyway.

revi added a comment.Jul 10 2019, 1:56 AM

I can see a spike (for last few days to weeks) with someone pretending to be WMF department, employee, contractor, etc etc using the form to spam our queue and (to distribute automated reply to them).

It seems that George Reeves Person entered Jimbo Wales' Wikimedia email address multiple times creating a bunch of tickets. Please see #2019072010004768, #2019072010004741, and 16 others.

MarcoAurelio removed the point value for this task.Jul 21 2019, 12:19 PM

{T167219} is also somewhat related to this.

Teles added a subscriber: Teles.Jul 21 2019, 4:50 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 4:08 PM
jrbs added a subscriber: jrbs.EditedFeb 6 2020, 7:37 PM

Very closely related (but not the same, IMO) as {T244511} - proposed solution here is different

This is likely a duplicate of T167219.

Aklapper added a parent task: Restricted Task.Fri, May 22, 1:13 PM

Is a large point of Special:Contact that it doesn't need a user? Just like with direct email to a mailing list/otrs pilot address, the recipients should never assume that the from/reply-to address is authenticated.