Page MenuHomePhabricator
Create Task
Maniphest T224059

Should https://meta.wikimedia.org/wiki/Special:Contact/Stewards require a login
Open, MediumPublic
Actions

Description

Someone sent a message to the Stewards using https://meta.wikimedia.org/wiki/Special:Contact/Stewards pretending to be another user. The legitimate party was surprised to get an emailed reply about the fake submission.

The reporting person's (the legitimate user's) suggestion is that https://meta.wikimedia.org/wiki/Special:Contact/Stewards should require the submitter to be logged in, or the message to the Stewards should indicate that it wasn't sent by a logged in user.

Does anything need to be done with this?

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 OpenNoneT224059 Should https://meta.wikimedia.org/wiki/Special:Contact/Stewards require a login

Event Timeline

Dsharpe created this task.May 21 2019, 8:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 21 2019, 8:09 PM
Krenair subscribed.May 21 2019, 8:10 PM
Legoktm subscribed.May 21 2019, 8:20 PM

Locked users can't use the form if we require a login...

Legoktm added a project: Stewards-and-global-tools.May 21 2019, 8:20 PM
Krenair added a project: MediaWiki-extensions-ContactPage.May 22 2019, 12:50 AM

Its interesting that the legitimate party got the response - do we set reply-to to the user-provided email?
Even as a logged in user I appear to be able to go to that form and set a different email address. Maybe it should be made clear that the email provided is unverified.

revi subscribed.May 22 2019, 3:41 AM
In T224059#5202149, @Legoktm wrote:

Locked users can't use the form if we require a login...

Our OTRS queue address is public and advertised via Stewards requests pages and other places anyway.

revi added a comment.Jul 10 2019, 1:56 AM

I can see a spike (for last few days to weeks) with someone pretending to be WMF department, employee, contractor, etc etc using the form to spam our queue and (to distribute automated reply to them).

Bsadowski1 subscribed.Jul 21 2019, 6:09 AM

It seems that George Reeves Person entered Jimbo Wales' Wikimedia email address multiple times creating a bunch of tickets. Please see #2019072010004768, #2019072010004741, and 16 others.

MarcoAurelio removed the point value for this task.Jul 21 2019, 12:19 PM
MarcoAurelio subscribed.Jul 21 2019, 12:22 PM

{T167219} is also somewhat related to this.

Teles subscribed.Jul 21 2019, 4:50 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 4:08 PM
jrbs subscribed.EditedFeb 6 2020, 7:37 PM

Very closely related (but not the same, IMO) as {T244511} - proposed solution here is different

chasemp added a project: Security.Feb 10 2020, 10:57 PM
Trijnstel subscribed.Feb 14 2020, 9:52 PM

This is likely a duplicate of T167219.

HakanIST subscribed.Feb 16 2020, 6:40 AM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
DannyS712 subscribed.Mar 15 2020, 3:00 AM
Xaosflux subscribed.Apr 19 2020, 3:33 PM
Aklapper added a parent task: Restricted Task.May 22 2020, 1:13 PM
Xaosflux added a comment.May 22 2020, 1:27 PM

Is a large point of Special:Contact that it doesn't need a user? Just like with direct email to a mailing list/otrs pilot address, the recipients should never assume that the from/reply-to address is authenticated.

kolbert subscribed.May 24 2020, 10:56 PM
Zabe subscribed.Oct 4 2021, 11:38 PM
Stang subscribed.Jan 29 2022, 1:04 AM
Zabe mentioned this in T298784: Security Issue Access Request for Zabe.Jun 9 2022, 9:50 PM
Wugapodes mentioned this in T324175: Limit modification of ContactPage name and email.Dec 1 2022, 12:46 AM
Xeno_WMF subscribed.Dec 21 2022, 10:58 PM
Reedy moved this task from Backlog to External on the MediaWiki-extensions-ContactPage board.Jan 29 2024, 3:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL