Page MenuHomePhabricator
Create Task
Maniphest T301992

Insert CheckUser row events during certain 2FA actions
Open, MediumPublic
Actions

Description

It seems it could be beneficial having OATHAuth logging to CheckUser (if installed) during certain 2FA events:

Details

SubjectRepoBranchLines +/-
Send log entries to CheckUsermediawiki/extensions/OATHAuthmaster+14 -0
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
OpenNoneT301992 Insert CheckUser row events during certain 2FA actions
ResolvedFeatureDreamy_JazzT324907 Create separate tables for log events in CheckUser
· · ·

Event Timeline

Reedy created this task.Feb 17 2022, 3:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 17 2022, 3:03 PM
Legoktm subscribed.Feb 18 2022, 7:21 AM

We don't log stuff like password change or email change to CU do we? I think 2FA should be at the same level of those. The only exception IMO is when someone else removes 2FA via the special page, where we add a log entry. I'll submit a patch for that in a few minutes.

I do think we should have MW debug logs for all the cases you mentioned with CU-like data if it's not already in place.

Legoktm added a comment.Feb 18 2022, 7:35 AM

Screenshot 2022-02-17 at 23-34-41 Check user - Trunk Test.png (114×1 px, 31 KB)

gerritbot added a comment.Feb 18 2022, 7:36 AM

Change 763654 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/extensions/OATHAuth@master] Send log entries to CheckUser

https://gerrit.wikimedia.org/r/763654

gerritbot added a project: Patch-For-Review.Feb 18 2022, 7:36 AM
Reedy added a comment.Feb 18 2022, 10:15 AM
In T301992#7720442, @Legoktm wrote:

We don't log stuff like password change or email change to CU do we? I think 2FA should be at the same level of those. The only exception IMO is when someone else removes 2FA via the special page, where we add a log entry. I'll submit a patch for that in a few minutes.

I do think we should have MW debug logs for all the cases you mentioned with CU-like data if it's not already in place.

I wonder if we should just be improving this sort of logging more generally. Maybe a bigger discussion to be had...

taavi subscribed.Feb 18 2022, 10:18 AM
Legoktm added a comment.Feb 19 2022, 6:50 AM

CUs/stews often look into account compromises, so I think it is somewhat reasonable to do so, but like Majavah said on the Gerrit patch, that is a shift from what we currently do.

If we are considering all auth-stuff, I think we should have a "account security events" log like other sites do, that track when you changed your password, email, etc. and shows it to you so you can audit your own account security. I think a framework like that belongs in core (something something E:AccountInfo!). And if we had that, I think it would be reasonable to allow trusted users including possibly CheckUsers to access it, but I don't think mixing it all in with CU makes sense.

TheresNoTime subscribed.Mar 3 2022, 12:25 AM
Zabe subscribed.Jun 19 2022, 9:26 AM
Dreamy_Jazz triaged this task as Medium priority.Jan 31 2023, 12:00 AM
Dreamy_Jazz added a subtask: T324907: Create separate tables for log events in CheckUser.Feb 16 2023, 8:35 PM
Dreamy_Jazz subscribed.EditedFeb 16 2023, 8:46 PM

Having looked at this my thoughts are:

  • There is concern about showing entries from the hidden log to users with checkuser rights
  • Having the IP, XFF and user agent associated with this log entry in Special:CheckUser is useful for compromise investigations. While the server logs can be inspected this requires someone with that right to do so which may take too long in a case of an urgent compromise check.

I agree that this would be good to have stored in the CheckUser table. One solution to the issue of showing the entries is by hiding the actiontext associated with the hidden log entry unless the user has the right to view the log. This can be done once migration in T324907 is stably set to read new as entries detailed in the task description would go into cu_log_event and store the associated logging table ID. CheckUser can then inspect the log entry to find out whether it can show it, displaying everything but the action text to the checkuser with some description about the entry being hidden because they need a right. The CheckUser can then pass the log ID that would be shown to a user with the right so they can see what the event was.

This method of hiding the actiontext for protected logs when the user does not have the right could be applied to many other actions, including the suppress log. The CheckUser would not be able to see what the log item was and only that they don't have the right to view it.

gerritbot added a comment.Jul 7 2024, 1:48 PM

Change #763654 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Send log entries to CheckUser

https://gerrit.wikimedia.org/r/763654

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.13; 2024-07-09).Jul 7 2024, 2:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 8:46 PM
Dreamy_Jazz closed subtask T324907: Create separate tables for log events in CheckUser as Resolved.Jul 24 2024, 4:44 PM
TheDJ subscribed.Mon, Feb 24, 3:49 PM

If I understand correctly, the only thing we are not logging listed in the description now is enrollment right ? Do we want to close this ticket, split that off, or are we good with the current state ?

Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptMon, Feb 24, 3:49 PM
Dreamy_Jazz added a comment.EditedMon, Feb 24, 3:56 PM
In T301992#10575558, @TheDJ wrote:

If I understand correctly, the only thing we are not logging listed in the description now is enrollment right ? Do we want to close this ticket, split that off, or are we good with the current state ?

AFAIK we are currently missing:

  • Failed 2FA login attempts
  • Enrolment into 2FA

As to whether we want to split the ticket, I'm happy either way. I think we probably still want to log failed 2FA attempts to CheckUser, given that failed attempts to verify 2FA might indicate attempted account breaches where the password is known. Currently (AFAICS) the CheckUser data would only log a generic failed to login attempt, which wouldn't indicate the password used was correct (AFAIK).

Enrolment into 2FA seems less useful to log, as long as the enrolment was performed by the user themselves.

TheDJ mentioned this in T387245: Insert CheckUser row events for failed 2FA logins.Tue, Feb 25, 9:05 PM
TheDJ added a comment.EditedTue, Feb 25, 9:10 PM

I think it is good to split out tickets whenever delivered functionality is spread over multiple MW releases (we probably don't do enough of that), so i made a separate ticket.

I agree enrollment is less useful indeed. However I think I have heard of attacks outside wikimedia where attackers enabled 2FA after takeover of an account. But i'm pretty sure other signals are more important and a better indication.

Dreamy_Jazz added a comment.EditedWed, Feb 26, 10:36 AM
In T301992#10580706, @TheDJ wrote:

I agree enrollment is less useful indeed. However I think I have heard of attacks outside wikimedia where attackers enabled 2FA after takeover of an account. But i'm pretty sure other signals are more important and a better indication.

If you think enrolment should be logged, then if you could file a task for it? Then we can close this out (as you have suggested).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits