Page MenuHomePhabricator
Create Task
Maniphest T250131

Allow the owner to lock its former account if it has been compromised
Open, Needs TriagePublic
Actions

Description

Currently, there are two ways to assert control of a wiki account:

  • By knowing its password (which allows you to change the password and the associated email)
  • By having access to its email (which allows you to reset the password)

(plus a few 'detached' ones, such as identity commits or additional accounts linked from the account)

A wiki account may be compromised by compromising any of those methods.

If the email account was compromised, the only recourse of the user is to change the email associated to the account before the attacker resets the password.

If the account password was compromised (which is probably more common, does anyone have numbers here?), the old owner receives a notification email about it,¹ but the attacker will have changed both the email and password by the time the original owner reads it. Moreover, the victim is simply told "If this was not you, contact a site administrator immediately.", which is an acceptable advice for a generic MediaWiki install, but suboptimal for Wikimedia sites.

To begin with, from that message the user would go to contact a sysop (if any), which is completely unable to do anything about it, or even know if that person is in any way related to the account. T95829 proposes that the "real user" should be able to override it. However, here we don't know who the "real user" is. We have a split identity. It could be a case of a compromised password or a compromised email. Nevertheless, letting a compromised account unactioned is also a wrong choice, and it will bite you later.

I thus pose that when there is an email change, the notification message should contain a link with a token, valid for one week² which lets the holder open a page where they can fill out a textarea explaining the issue (e.g. "Help! I am hacked." or "I didn't change the email or password, but no I can't login") that, on submit, automatically locks the account and opens a ticket to be reviewed.³ By having an actual human, we can protect from an attacker trying to game the system, and assess the arguments given by both parties. the technical evidence relative to the account and its prior usage, as well as other means that may link it to other accounts.

Automatically locking the accounts, means the account may do no harm once detected by the owner (with no need to somehow demonstrate that they _are_ the real user to get it blocked), and allows giving a clear actionable to the victim: it is possible that someone stole your car, click here to stop it from being driven.

¹ notificationemail_body_changed / notificationemail_body_removed
² quite arbitrarily set, but this seems about right
³ By the Trust-and-Safety team, probably

Related Objects

Event Timeline

Platonides created this task.Apr 14 2020, 2:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 14 2020, 2:03 AM
Bugreporter added a project: MediaWiki-extensions-CentralAuth.Apr 14 2020, 2:42 AM
JJMC89 added a project: Trust-and-Safety.Apr 14 2020, 2:54 AM
JJMC89 removed a subscriber: Trust-and-Safety.
Luke081515 awarded a token.Apr 22 2020, 4:28 PM
DannyS712 subscribed.Apr 27 2020, 12:38 AM
jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.Jun 22 2020, 7:45 PM
Zabe subscribed.Dec 7 2021, 11:22 PM
Bugreporter moved this task from Backlog to Global account management (lock/hide/suppress) on the MediaWiki-extensions-CentralAuth board.Mar 5 2024, 11:42 AM
A_smart_kitten subscribed.Nov 23 2024, 11:40 AM
Base subscribed.Mar 27 2025, 6:16 AM

I am not sure if I caught everything, probably need to reread the description a couple more times again, but it feels like you are basically proposing to improve security for the case when the password gets changed by the attacker … but drastically worsen security for the case where the attacker gets access to the email account, as even if you do catch that and manage to change the email the attacker would have token that lets them now lock you out of your account completely?

OKryva-WMF edited projects, added: Product Safety and Integrity; removed: Trust-and-Safety.Sep 26 2025, 2:06 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 26 2025, 2:06 PM
OKryva-WMF moved this task from Inbox to Triaged (backlog) on the Product Safety and Integrity board.Sep 26 2025, 2:08 PM
OKryva-WMF edited projects, added: Trust-and-Safety; removed: Product Safety and Integrity.Sep 26 2025, 3:13 PM
JTweed-WMF edited projects, added: MediaWiki-Platform-Team (Radar); removed: MediaWiki-Platform-Team.Sep 29 2025, 2:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits