AntiSpoof should also check global accounts from CentralAuth
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	SoWhy
	Apr 29 2011, 5:02 PM

Description

If you try to create an account that is similar to an existing one (such as me trying to create "SöWhy"), the software will check for existing usernames (here "SoWhy") and disallow creation of the account. On the other hand, if you create the account "SöWhy" on another project that the "SoWhy"-account does not exist yet, you can then auto-create the account on the wiki the "SoWhy" account already exists, thus creating an impersonation account despite the measures set in place to prevent this.

Example:

Regards,
SoWhy

Version: unspecified
Severity: enhancement

Details

Reference: bz28747

Event Timeline

• bzimport raised the priority of this task from to High.Nov 21 2014, 11:29 PM

• bzimport added projects: MediaWiki-extensions-CentralAuth, platformeng.

• bzimport set Reference to bz28747.

• bzimport added a subscriber: Unknown Object (MLST).

SoWhy created this task.Apr 29 2011, 5:02 PM

AntiSpoof does not work with CentralAuth currently.

This could work on two ways: by blocking the account autocreation if there's a local account with similar name, or by blocking registration if there is a similarly named global account.

I think the later is preferable.

Blocking autocreation would probably not work without heavy modifications, also that would still allow impersonation of prominent users on little known side projects, for example by claiming to be an en-wiki admin on en-wikiversity.

On a side note, AntiSpoof probably needs to be improved as well, as seen in the recent attack of impersonation accounts on en-wiki. For example, AntiSpoof does not block the creation of usernames with a single character changed unless that character is similar to the changed one ("SöWhy" is blocked but "SüWhy" is not). On a short username like mine, a change of a character is easily noticed but if the username has 15+ characters or if the username is complicated, many people will not notice the change, so it would probably be good if AntiSpoof checked how much the new username has in common with existing ones.

(In reply to comment #1)

AntiSpoof does not work with CentralAuth currently.

This could work on two ways: by blocking the account autocreation if there's a
local account with similar name, or by blocking registration if there is a
similarly named global account.

I think the later is preferable.

Changed bugsummary accordingly

(In reply to comment #2)

not). On a short username like mine, a change of a character is easily noticed
but if the username has 15+ characters or if the username is complicated, many
people will not notice the change, so it would probably be good if AntiSpoof
checked how much the new username has in common with existing ones.

I'm not sure how valid this request is (even just FoobarLand and FoobarBand are very different imho), but you could request this, as a seperate bug.

Moved and assigned per BugTriage.

Removing from 1.18 deployment blocker but bumping priority to compensate.

Sam, is this something you can look into?

r106805, r106808 were prequisite work (refactoring etc)

r106809 and r106812 then build on that, and use the stuff

Some more updating in r106813, r106816 to bring the maintenance script into recent shape and create a CA script for it also

Pushing bug back into CA component, as it's done essentially on the CA side

Some other bits of cleanup work also done to AntiSpoof

Need to do a bit of testing to check it

Bug 15545 has been marked as a duplicate of this bug. ***

Marking as fixed!

MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 6:05 PM

AntiSpoof should also check global accounts from CentralAuthClosed, ResolvedPublicActions

Description

Details

Event Timeline

AntiSpoof should also check global accounts from CentralAuth
Closed, ResolvedPublic
Actions