Page MenuHomePhabricator
Create Task
Maniphest T284948

Raw IPs of logged-out users disclosed in wiki-replicas
Open, Stalled, Needs TriagePublic
Actions

Description

Summary
In line with T169097, the Security-Team recently completed an audit of the configuration file maintain-views.yaml, in order to explore whether wiki-replicas pose some privacy risks for the contributors supporting Wikimedia projects. As part of the conclusions, it is recommended that raw IPs of logged-out users be redacted from wiki-replicas

Broader context
Displaying raw IP information to the public is a practice that poses obvious privacy risks. IP information can provide very accurate geolocation about contributors and leaving it open to public makes it easier for malign actors to exploit that information. The two queries below provide easily a list of IP addresses used across a Wikimedia project.

SELECT * FROM actor
WHERE actor_user IS NULL
LIMIT 100;
SELECT * FROM ipblocks
WHERE ipb_user = 0
LIMIT 100;

One way to address this privacy issue could be to obfuscate or add noise to IPs in the tables
ipblocks, ipblocks_ipindex, ipblocks_compat, and actor. For instance, IP information is already hidden from abuse_filter_log table through obfuscation.

Details

Other Assignee
odimitrijevic

Related Objects
Search...

Event Timeline

sguebo_WMF created this task.Jun 14 2021, 5:43 PM
Restricted Application edited projects, added cloud-services-team (Kanban); removed cloud-services-team. · View Herald TranscriptJun 14 2021, 5:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Bstorm moved this task from Backlog to Wiki replicas on the Data-Services board.Jun 14 2021, 6:07 PM
Urbanecm subscribed.EditedJun 14 2021, 7:39 PM

I don't understand why do we restrict information from replicas while the same information are (as of writing) available in the interface. I used replica databases to evaluate wide anon-only range blocks applied to certain ISP(s), and for those tasks, having raw IP of (logged out) users is certainly benefitial.

abuse_filter_log is not a comparable table to actor, as afl_ip in abuse_filter_log contains IP addresses of all users, logged in or not. It is still possible to get IP addresses of logged out editors (which is stored in afl_user_text) from abuse_filter_log, as it should be (as long as this information is available in the production interface at all).

See example:

MariaDB [cswiki_p]> select * from abuse_filter_log where afl_id in (1205372, 1205361)\G
*************************** 1. row ***************************
          afl_id: 1205361
      afl_filter:
      afl_global: 0
   afl_filter_id: 32
        afl_user: 541955
   afl_user_text: Tornyy12 # logged in user, no IP in afl_ip
          afl_ip: NULL
      afl_action: edit
     afl_actions: tag
    afl_var_dump: tt:20632834
   afl_timestamp: 20210614193300
   afl_namespace: 0
       afl_title: Dan_Večeřa
        afl_wiki: NULL
     afl_deleted: 0
afl_patrolled_by: 0
      afl_rev_id: NULL
*************************** 2. row ***************************
          afl_id: 1205372
      afl_filter:
      afl_global: 0
   afl_filter_id: 3
        afl_user: 0
   afl_user_text: 213.175.51.124
          afl_ip: NULL # this is null, but afl_user_text still has the info
      afl_action: edit
     afl_actions: tag
    afl_var_dump: tt:20632849
   afl_timestamp: 20210614193525
   afl_namespace: 0
       afl_title: Masožravá_rostlina
        afl_wiki: NULL
     afl_deleted: 0
afl_patrolled_by: 0
      afl_rev_id: 20068878
2 rows in set (0.00 sec)

MariaDB [cswiki_p]>

I'd appreciate this being discussed with tool owners before implementing.

bd808 subscribed.Jun 14 2021, 8:46 PM

Related: https://meta.wikimedia.org/wiki/IP_Editing:_Privacy_Enhancement_and_Abuse_Mitigation

Legoktm subscribed.Jun 15 2021, 4:20 PM
In T284948#7156457, @Urbanecm wrote:

I don't understand why do we restrict information from replicas while the same information are (as of writing) available in the interface. I used replica databases to evaluate wide anon-only range blocks applied to certain ISP(s), and for those tasks, having raw IP of (logged out) users is certainly benefitial.

This basically. The wiki replicas should just allow access to whatever the wikis allow publicly (and some exceptions). I assume this should be blocked on some other task that redacts this from wikis?

JFishback_WMF moved this task from Incoming to In Progress on the Privacy Engineering board.Jun 21 2021, 3:36 PM
sguebo_WMF added a comment.Aug 6 2021, 5:44 PM

I used replica databases to evaluate wide anon-only range blocks applied to certain ISP(s), and for those tasks, having raw IP of (logged out) users is certainly beneficial.

Hey @Urbanecm and thanks for surfacing that use case. While bearing in mind the privacy risk highlighted earlier, I can definitely see how obfuscating that data would disrupt anti-vandalism work, though not offering a proper alternative for now. Therefore, I am fine with having this ticket stalled until IP masking (T283177) is effective, so as not to create unnecessary disruption.

sguebo_WMF updated the task description. (Show Details)Aug 6 2021, 5:47 PM
sguebo_WMF added a parent task: Restricted Task.
sguebo_WMF moved this task from In Progress to Watching on the Privacy Engineering board.Aug 6 2021, 5:53 PM
nskaggs moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.Aug 10 2021, 9:50 PM
Zabe subscribed.Oct 5 2021, 11:26 PM
nskaggs added a project: Analytics.Oct 20 2021, 4:07 PM
odimitrijevic updated Other Assignee, added: odimitrijevic.Oct 25 2021, 3:58 PM
AntiCompositeNumber subscribed.Oct 28 2021, 12:16 AM
AntiCompositeNumber added a parent task: T294511: 2021 Security Team wikireplicas audit.Oct 28 2021, 12:29 AM
AntiCompositeNumber changed the task status from Open to Stalled.Oct 28 2021, 12:32 AM
AntiCompositeNumber added a subtask: T283177: Anonymous Contributors IP Masking.
odimitrijevic added a project: Data-Engineering.Oct 28 2021, 4:29 PM
odimitrijevic moved this task from Incoming (new tickets) to Security & Governance on the Data-Engineering board.Oct 28 2021, 5:02 PM
odimitrijevic removed a project: Analytics.Jan 11 2022, 11:22 PM
Jdforrester-WMF closed subtask T283177: Anonymous Contributors IP Masking as Invalid.Jan 18 2023, 3:41 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:40 PM
fnegri moved this task from Kanban to Watching on the cloud-services-team board.
JArguello-WMF moved this task from Security & Governance to Incoming (new tickets) on the Data-Engineering board.Jun 29 2023, 11:44 PM
JArguello-WMF moved this task from Incoming (new tickets) to Radar (External Teams) on the Data-Engineering board.Jun 29 2023, 11:51 PM
lbowmaker moved this task from Radar (External Teams) to Icebox (not considered in current quarter) on the Data-Engineering board.Nov 10 2023, 1:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits