Page MenuHomePhabricator
Create Task
Maniphest T357778

Require logged-out users to complete a CAPTCHA on temporary account creations in certain circumstances
Open, Needs TriagePublic
Actions

Description

To mitigate scripted abuse of temp accounts, we should consider showing a CAPTCHA to edits that would result in a temporary account creation, in certain circumstances. Some possible scenarios:

  • the user's IP is known to iPoid-Service
  • the user's IP is linked with X number of temp account creations in the last Y minutes
  • the user's IP is linked with X number of temp account edits in the last Y minutes

We could also consider a config that would allow for requiring a captcha on temp account creation for X% of requests

Related Objects
Search...

Event Timeline

kostajh renamed this task from Require users to complete a CAPTCHA on temporary account creations in certain circumstances to Require logged-out users to complete a CAPTCHA on temporary account creations in certain circumstances.Feb 16 2024, 2:21 PM
kostajh created this task.
kostajh mentioned this in T342880: Decide what the rate limit should be for temporary account creations.Feb 16 2024, 6:13 PM
Ladsgroup awarded a token.EditedFeb 16 2024, 6:19 PM
Ladsgroup subscribed.

I'd go even further given how easy it is to change IPs to just require it on every case. That simplifies the logic. We already require captcha for every user creation regardless.

kostajh added a comment.EditedFeb 16 2024, 6:23 PM
In T357778#9551525, @Ladsgroup wrote:

I'd go even further given how easy it is to change IPs to just require it on every case. That simplifies the logic. We already require captcha for every user creation regardless.

We can make that configurable and observe what happens in some pilot wikis (T357763: Create a temporary accounts initiative Grafana dashboard). I hesitate to say that we set "always show a CAPTCHA for temp account creation" as the default, because that diverges significantly from the status quo, in regard to barrier to entry for editing.

Ladsgroup added a comment.Feb 16 2024, 6:33 PM

Fair, in adding links, the user clicks on Publish and then sees a captcha, maybe if we show captcha before that it would reduce the barrier but yeah. Very non-scientific gut feeling. Nothing concrete.

kostajh updated the task description. (Show Details)Mar 3 2024, 7:48 PM
kostajh added a comment.May 10 2024, 7:26 AM

The proposed mechanism for showing the CAPTCHA is in this patch (T20110: Define AbuseFilter consequence to display a CAPTCHA).

Tchanders subscribed.May 14 2024, 11:33 AM
Tchanders edited projects, added Temporary accounts (Update MediaWiki Core to introduce temp accounts); removed Temporary accounts.Tue, Jun 11, 4:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL