Page MenuHomePhabricator

Globally hidden usernames can be enumerated by unauthenticated users by crawling Special:GlobalUserRights with user IDs
Closed, DuplicatePublicSecurity

Description

Special:GlobalUserRights allows a user to be selected via global user ID. The username is displayed even if the global user ID corresponds to an account which has been globally hidden.

This is an unauthenticated information disclosure vulnerability. On WMF wikis, usernames are typically globally hidden for privacy reasons, and may contain outing or other privacy sensitive information. An unauthenticated user could crawl user IDs sequentially, or only those missing from a globalallusers query, in order to identify all hidden usernames.

I believe this can be remedied by performing a check similar to this one, from CentralAuth's ApiQueryGlobalUserInfo.php, probably somewhere around here

		if ( $userExists && ( $user->getHiddenLevel() === CentralAuthUser::HIDDEN_NONE ||
			$this->getPermissionManager()->userHasRight( $this->getUser(), 'centralauth-oversight' ) )
		) {

Details

Author Affiliation
Wikimedia Communities

Event Timeline

sbassett added a subscriber: sbassett.

This task had been open so long, it was re-reported here: T285190 :/ But the good news is that we had a patch written and deployed to production, so that's some progress.

@sbassett I'm not sure that other task was a duplicate, this is for the url containing the global user id and that other task is for the url containing the account name.

@DannyS712 - I believe these are both related, as they are ways to enumerate users via the same form on the same special page. But yes, this is specifically for the edge case for using the user id as opposed to the username.

Zabe reopened this task as Open.EditedJun 23 2021, 10:14 PM
Zabe claimed this task.
Zabe added a project: User-Zabe.

Let me write a patch for this too, it's maybe a bit unnecessary to have two for this, so please tell me, if we should put both into a single patch.

Edit: I decided to put it into one patch, as it's basicly the same thing.

@sbassett can this task also be made public as T285190 is now public?

@sbassett can this task also be made public as T285190 is now public?

Yes, done.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".