Background
When creating an account, each account creation increments an internal number of creation attempts for the IP address originating the request. This is used to block new account creations after a specified limit on each day. Currently, Wikipedia has 6 account creations for a given IP per day. Once the limit is reached, Special:CreateAccount will display a message telling the user about that limit and preventing new account creations for that IP.
Problem
On wikis using a captcha, when the fields for the account creation form are correct (password policy compliance, username not taken, password match, etc), but the captcha field fails to validate, submitting the form causes it to increment the number of accounts created for that IP, even if the account hasn't been created.
This can effectively lock new users if they fail to resolve the captcha correctly, specially if the limit for account creations for an IP are low.
Steps to reproduce
This can be tested currently on any WMF wikis (wikipedia for example).
- Go to https://en.wikipedia.org/wiki/Special:CreateAccount
- Fill the username and passwords fields correctly, ensure there's no validation error
- Enter any random text on the captcha field that does NOT match the captcha
- Repeat steps 1-3 6 more times
Expected results: You can repeat those steps "indefinitely" and still be able to create the captcha at a given time if you solve the captcha correctly.
Actual results: The account has never been created, but you get this message: "Visitors to Wikipedia using your IP address have created 6 accounts in the last 24 hours, which is the maximum allowed in this time period. As a result, visitors using this IP address cannot create any more accounts at the moment"