Page MenuHomePhabricator

Special:Impact leaks suppressed usernames (CVE-2022-28207)
Closed, ResolvedPublicSecurity

Description

The user Zabe (test 9) is suppressed on the beta cluster.

zabe_9_suppressed.png (719×726 px, 71 KB)

Still it is possible to discover its existence through Special:Impact.

Actual result

special_impact_leak.png (1×1 px, 106 KB)

Expected result

special_impact_expected.png (1×1 px, 61 KB)

Event Timeline

Zabe added a project: Patch-For-Review.

Proposed patch

sbassett added a project: SecTeam-Processed.
sbassett subscribed.

Issue confirmed on enwiki and +1 to the patch above. Would be nice to get another +1 from GrowthExperiments folks (@Urbanecm_WMF @Tgr et al) prior to deployment.

Well, the fact that a known username is suppressed isn't really secret. You can always just check via list=users - some of that should probably be hidden but we need to tell new users at some point during the account creation process that the account already exists, so at least the cancreate flag needs to work (although I suppose we could try to make that check so late that you can't verify without not creating a new account if the username wasn't taken).

The patch looks good otherwise.

Proposed patch

LGTM, untested.

In T298312#7599918, @Tgr wrote: You can always just check via list=users

I don't think so. It just worked for you because I undid the suppression of my testing account after taking the screenshots. I redid the suppression now and if you now perform that query it also states missing:true like for nonexistent accounts.

Sorry, I wasn't clear about my point, which is that you can't fake the can-create check (or, you could, but it would result in erratic behavior):
https://en.wikipedia.beta.wmflabs.org/w/api.php?action=query&format=jsonfm&list=users&ususers=Zabe%20(test%209)&usprop=cancreate

"name": "Zabe (test 9)",
"missing": "",
"cancreateerror": [
    {
        "message": "userexists",
        "params": [],
        "code": "userexists",
        "type": "error"
    }
]

Sorry, I wasn't clear about my point, which is that you can't fake the can-create check (or, you could, but it would result in erratic behavior):
https://en.wikipedia.beta.wmflabs.org/w/api.php?action=query&format=jsonfm&list=users&ususers=Zabe%20(test%209)&usprop=cancreate

"name": "Zabe (test 9)",
"missing": "",
"cancreateerror": [
    {
        "message": "userexists",
        "params": [],
        "code": "userexists",
        "type": "error"
    }
]

Ok, thanks for clarifying. :)

Proposed patch

LGTM, untested.

+1 LGTM, also untested.

23:38 <urbanecm> !log Deploy security patch for T298312
23:38 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Deployed to production as-of F34896154. Works as expected. For a suppressed user, Special:Impact claims "Missing or invalid username." logged-out, but when logged-in under my WMF account (which has hideuser), Special:Impact gladly shows information about that user.

Moving back to Incoming for security-team to triage (and publish & merge to master, as appropriate).

sbassett removed a project: Patch-For-Review.

Thanks, @Urbanecm_WMF. Now tracking for the supplemental release (T297839) and on the current deployments bug (T276237).

sbassett changed Risk Rating from N/A to Low.
sbassett renamed this task from Special:Impact leaks suppressed usernames to Special:Impact leaks suppressed usernames (CVE-2022-28207).Mar 30 2022, 7:20 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2022, 5:44 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".

Change 775916 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/775916

Change 775927 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/GrowthExperiments@REL1_37] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/775927

Change 775928 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/GrowthExperiments@REL1_36] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/775928

Change 775929 had a related patch set uploaded (by SBassett; author: Zabe):

[mediawiki/extensions/GrowthExperiments@REL1_35] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/775929

Change 775916 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/775916

Change 776035 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/GrowthExperiments@REL1_38] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/776035

Change 776035 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_38] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/776035

Change 775927 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_37] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/775927

Change 775929 merged by Umherirrender:

[mediawiki/extensions/GrowthExperiments@REL1_35] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/775929

Change 775928 merged by Umherirrender:

[mediawiki/extensions/GrowthExperiments@REL1_36] SECURITY: Don't leak suppressed usernames on Special:Impact

https://gerrit.wikimedia.org/r/775928