Page MenuHomePhabricator
Create Task
Maniphest T333723

w.wiki + ?withJS= allows an intadmin on any wiki to launch phishing attacks on all wikis, or lets any user trick people into running unwanted JS
Closed, DeclinedPublicSecurity
Actions

Description

The w.wiki link shortener accepts links containing ?withJS= parameters (harmless example). At first blush, this might not seem like much of an issue, since ?withJS= only works with MediaWiki namespace scripts, which only intadmins can create and edit. And intadmins already have the power to do much worse, so we needn't be concerned about giving them this extra power. However, there are two ways that the vulnerabilties here exceed those inherent in the existence of intadmins.

We'll start with the relatively less scary one: allowing w.wiki links including ?withJS= parameters means that any user can trick any other user into running any JS in the MW namespace of the wiki in question. Since MediaWiki namespace scripts are expected to run on an opt-in basis in most cases (with careful discussion of the rare exceptions), it is possible that some wikis will have scripts in that namespace that do have serious adverse effects if run unintentionally. However, this is the lesser of my concerns.

Much more alarmingly, this combination of features allows anyone who is an intadmin anywhere on a w.wiki-scope wiki to conduct phishing attacks that will be roughly as effective on all wikis. While this is a relatively high-effort attack, it is significantly lower-effort than gaining intadmin on any of the major wikis. Consider the following approach:

  1. I get temp IA on tinywiki.wiktionary.org. Very easy, potentially might only take a few weeks, considering that a 0–0 self-nom is a valid IA consensus.
  2. I create a (probably heavily obfuscated) MW namespace script that will redirect users to some phishing domain, en.wikipedia.org.tld or such. (Of course there's other evil things I could do, but the rest are all inherent risks in IA.)
  3. I create shortcut https://w.wiki/tr
  4. I email enwiki admins some phishing emal, linking them to https://w.wiki/tr. Since w.wiki is a trusted domain, they click it.
  5. Unless they noticed the brief flicker as they are taken from w.wiki to tinywiki.wiktionary.org to en.wikipedia.org.tld, or notice the incorrect domain name at the end, they will have no reason not to fill out the UserLogin form at the fake enwiki.

Thus someone with intadmin on any wiki has a very viable path to phish any account on a major wiki, even for users who are diligent in not clinking links to untrusted sites.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

Tamzin created this task.Mar 31 2023, 8:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2023, 8:09 PM
Vermont subscribed.Mar 31 2023, 11:40 PM
Reedy added a project: MediaWiki-extensions-UrlShortener.Apr 2 2023, 11:38 AM
Legoktm subscribed.Apr 3 2023, 12:48 AM

You can pull off this kind of attack with any common URL shortener, so I don't think it's worth having w.wiki forbid usage of the withJS parameter, which does have plenty of legitimate uses that merit URL shortening.

If you were an attacker with IA access on tinywiki.wiktionary.org with the ability to get away with creating obfuscated JS in the MediaWiki namespace, you could turn your payload into a default gadget or stick it in Common.js, etc. And then link directly to the wiki, no withJS or even URL shortener needed.

Is there something I'm missing?

Ladsgroup subscribed.Apr 3 2023, 1:23 AM

I agree with Lego, This was in my mind when I was deploying url shortener but given the separation of IA and general admin rights (that happened a couple years ago) this is not a big of vector. Most importantly, if someone could take over IA rights in a small or medium wiki, there is a bigger problem (compromise of accounts large number of people, large-scale disruption and so on) than specific users could potentially be targeted via w.wiki. A proper solution to this is to strengthen security of small wikis via strong policies on IA [1] rather than hiding the actual problem under the rug.

[1]: Some ideas: we don't allow indef admins in lots of wikis anymore, we could simply ban IA rights on small wikis and make them request changes via global interface admins, similar to CU). Given the potential of bad actors compromising PII on wikis, I think it's sensible. It's not even bad actors getting rights, it's the higher chance of the admin account getting compromised for such attacks.

DannyS712 subscribed.Apr 4 2023, 3:29 PM

Perhaps we could add a way to see what the target would be, before actually proceeding? Like https://meta.wikimedia.org/wiki/Special:UrlShortener/d showing the target of w.wiki/d ?

Tamzin added a comment.Apr 5 2023, 6:15 AM
In T333723#8749093, @Legoktm wrote:

Is there something I'm missing?

Primarily the potential for spoofing. In the other attack you describe, the hypothetical enwiki admin knows they're visiting tinywiki.wiktionary.org, a site they probably have no intention of ever editing. But if they click on a link that they're told will take them to enwiki, and the link has the w.wiki implied certificate of authenticity, and then they're now on a website that looks just like enwiki, there's a greater chance of them taking the bait. Put simply: IAs can only affect their own wikis, but this vulnerability lets their wiki be any wiki.

Legoktm added a comment.Apr 5 2023, 6:33 AM
In T333723#8757593, @Tamzin wrote:

Primarily the potential for spoofing. In the other attack you describe, the hypothetical enwiki admin knows they're visiting tinywiki.wiktionary.org, a site they probably have no intention of ever editing. But if they click on a link that they're told will take them to enwiki, and the link has the w.wiki implied certificate of authenticity, and then they're now on a website that looks just like enwiki, there's a greater chance of them taking the bait.

I mean... https://en.wikipedia.org/wiki/wikt:zh:Foo?withJs=pwned ?

Put simply: IAs can only affect their own wikis, but this vulnerability lets their wiki be any wiki.

I would not consider the first part of your statement to be true. There are enough SWMT, global sysops, stewards, etc. that are regularly visiting small wikis that any IA effectively can attack any wiki.

Legoktm added a comment.Apr 5 2023, 6:36 AM
In T333723#8755082, @DannyS712 wrote:

Perhaps we could add a way to see what the target would be, before actually proceeding? Like https://meta.wikimedia.org/wiki/Special:UrlShortener/d showing the target of w.wiki/d ?

Sure. Special:UrlExpander I suppose :)

sbassett subscribed.EditedApr 5 2023, 3:06 PM

I'd agree with the idea that int-admins are already highly-trusted users and that considering a possible exploit like this really starts heading down a slippery slope of not allowing any advanced user rights since any account could theoretically be compromised or have the user go rogue, thus enabling plenty of forms of on-wiki damage. There's a real question here of how feasibly-protective we can be for issues like this.

In T333723#8755082, @DannyS712 wrote:

Perhaps we could add a way to see what the target would be, before actually proceeding? Like https://meta.wikimedia.org/wiki/Special:UrlShortener/d showing the target of w.wiki/d ?

This sounds a bit cumbersome, but could certainly work for highly-concerned users. We could even have it flag URLs with withJS= as a query param and throw an additional warning message. But I think that's about the most something like this should do.

Ladsgroup added a comment.Apr 5 2023, 4:48 PM
In T333723#8759465, @sbassett wrote:
In T333723#8755082, @DannyS712 wrote:

Perhaps we could add a way to see what the target would be, before actually proceeding? Like https://meta.wikimedia.org/wiki/Special:UrlShortener/d showing the target of w.wiki/d ?

This sounds a bit cumbersome, but could certainly work for highly-concerned users. We could even have it flag URLs with withJS= as a query param and throw an additional warning message. But I think that's about the most something like this should do.

It's still possible to check a redirect chain via curl without sharing any creds (or even tell it not to follow redirects and read the 302 response). It's a bit more cumbersome but not that much.

Legoktm added a comment.Apr 6 2023, 1:44 AM

FWIW bitly has a feature where you add a "+" to the end of the URL and it sends you to an interstitial instead of directly redirecting. E.g. https://bit.ly/3nS07lI vs https://bit.ly/3nS07lI+ - so I think it's a reasonable feature to add to a URL shortener. But maybe we can move that to a public ticket?

mmartorana changed the task status from Open to In Progress.Apr 7 2023, 2:33 PM
mmartorana triaged this task as Low priority.
mmartorana added a project: Vuln-Misconfiguration.
mmartorana changed Risk Rating from N/A to Low.
mmartorana closed this task as Declined.Apr 7 2023, 3:21 PM
mmartorana subscribed.

As previously mentioned, the additional powers granted by int-admin privileges already pose a significant risk in terms of potential damage. Therefore, restricting the use of withJS would result in more limitations than benefit for this particular scenario.

mmartorana added a comment.Apr 24 2023, 3:08 PM

Hi - this task will be made public soon.

mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 24 2023, 4:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits