Page MenuHomePhabricator
Create Task
Maniphest T276276

DeltaQuadBot OAuth credentials publicly readable on Toolforge
Closed, ResolvedPublicSecurity
Actions

Description

-rw-r--r--  1 tools.deltaquad-bots tools.deltaquad-bots   16529 Mar  2  2016 user-config.py
legoktm@tools-sgebastion-08:/data/project/deltaquad-bots$ grep authenticate user-config.py 
authenticate['en.wikipedia.org'] = ('redacted','redacted','redacted','redacted')
$ find . -name user-config.py
./local/user-config.py
./jobs/ArbClerkBot/user-config.py
./jobs/IPBE/user-config.py
./jobs/SPI/user-config.py
./jobs/UAA2/user-config.py
./jobs/Email/user-config.py
./jobs/UAA/user-config.py
./DeltaQuadBot/email2/user-config.py
./DeltaQuadBot/email/user-config.py
./DeltaQuadBot/SPIupdater/user-config.py
./user-config.py
./pywikipedia/core/user-config.py

Please rotate your credentials ASAP. Note that by default this file is supposed to be in .pywikibot/user-config.py, which Pywikibot makes non-world readable.

There are also some session cookies in stewie-en.txt and stewie-meta.txt which are also world readable. I don't know what account those belong to though.

Event Timeline

Legoktm created this task.Mar 2 2021, 9:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2021, 9:18 PM
Legoktm added a project: Tools.Mar 2 2021, 9:21 PM
AmandaNP added a comment.Mar 2 2021, 9:28 PM

The OAuth grant has just been revoked. It has not been renewed since it's not in use.
Session log out has forced the two cookies to be reset.
I'm going to proceed with a full rotation of logins in an abundance of caution.

AmandaNP added a comment.Mar 2 2021, 10:10 PM

Full rotation of all 5 BotPasswords has been done too as a preventative measure.

AmandaNP closed this task as Resolved.Mar 2 2021, 10:10 PM
Legoktm updated the task description. (Show Details)Mar 2 2021, 10:29 PM
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 2 2021, 10:32 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".

Thanks for the speedy response :) I looked around again and didn't see anything else. In any case, the rotation would have invalidated everything.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL