Page MenuHomePhabricator

Failed captcha attempts on Special:CreateAccount counts against the account creation limit per IP address
Open, Needs TriagePublic

Description

Background

When creating an account, each account creation increments an internal number of creation attempts for the IP address originating the request. This is used to block new account creations after a specified limit on each day. Currently, Wikipedia has 6 account creations for a given IP per day. Once the limit is reached, Special:CreateAccount will display a message telling the user about that limit and preventing new account creations for that IP.

Problem

On wikis using a captcha, when the fields for the account creation form are correct (password policy compliance, username not taken, password match, etc), but the captcha field fails to validate, submitting the form causes it to increment the number of accounts created for that IP, even if the account hasn't been created.

This can effectively lock new users if they fail to resolve the captcha correctly, specially if the limit for account creations for an IP are low.

Steps to reproduce

This can be tested currently on any WMF wikis (wikipedia for example).

  1. Go to https://en.wikipedia.org/wiki/Special:CreateAccount
  2. Fill the username and passwords fields correctly, ensure there's no validation error
  3. Enter any random text on the captcha field that does NOT match the captcha
  4. Repeat steps 1-3 6 more times

Expected results: You can repeat those steps "indefinitely" and still be able to create the captcha at a given time if you solve the captcha correctly.

Actual results: The account has never been created, but you get this message: "Visitors to Wikipedia using your IP address have created 6 accounts in the last 24 hours, which is the maximum allowed in this time period. As a result, visitors using this IP address cannot create any more accounts at the moment"

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 24 2019, 10:09 AM

I've added a note about this bug to Manual:$wgAccountCreationThrottle, to remember to remove it once the bug has been fixed.

I though setting a limit of 1 per IP was good enough for our wiki, before knowing about this bug 😦

JJMC89 added a subscriber: JJMC89.Sep 24 2019, 2:42 PM

Failing for other reasons, e.g. triggering AntiSpoof, also counts against the limit. I think you get $wgAccountCreationThrottle attempts to create an account.

Jony added a subscriber: Jony.Sep 24 2019, 4:22 PM