Page MenuHomePhabricator
Create Task
Maniphest T357778

Provide ability to require logged-out users to complete a CAPTCHA on temporary account creations in certain circumstances
Closed, ResolvedPublic
Actions

Description

To mitigate scripted abuse of temp accounts, we should consider showing a CAPTCHA to edits that would result in a temporary account creation, in certain circumstances. Some possible scenarios:

  • the user's IP is known to iPoid-Service
  • the user's IP is linked with X number of temp account creations in the last Y minutes
  • the user's IP is linked with X number of temp account edits in the last Y minutes

We could also consider a config that would allow for requiring a captcha on temp account creation for X% of requests

Related Objects
Search...

Event Timeline

kostajh created this task.Feb 16 2024, 2:21 PM
kostajh renamed this task from Require users to complete a CAPTCHA on temporary account creations in certain circumstances to Require logged-out users to complete a CAPTCHA on temporary account creations in certain circumstances.
kostajh mentioned this in T342880: Decide what the rate limit should be for temporary account creations.Feb 16 2024, 6:13 PM
Ladsgroup awarded a token.EditedFeb 16 2024, 6:19 PM
Ladsgroup subscribed.

I'd go even further given how easy it is to change IPs to just require it on every case. That simplifies the logic. We already require captcha for every user creation regardless.

kostajh added a comment.EditedFeb 16 2024, 6:23 PM
In T357778#9551525, @Ladsgroup wrote:

I'd go even further given how easy it is to change IPs to just require it on every case. That simplifies the logic. We already require captcha for every user creation regardless.

We can make that configurable and observe what happens in some pilot wikis (T357763: [Epic] Create a temporary accounts initiative Grafana dashboard). I hesitate to say that we set "always show a CAPTCHA for temp account creation" as the default, because that diverges significantly from the status quo, in regard to barrier to entry for editing.

Ladsgroup added a comment.Feb 16 2024, 6:33 PM

Fair, in adding links, the user clicks on Publish and then sees a captcha, maybe if we show captcha before that it would reduce the barrier but yeah. Very non-scientific gut feeling. Nothing concrete.

kostajh updated the task description. (Show Details)Mar 3 2024, 7:48 PM
kostajh added a comment.May 10 2024, 7:26 AM

The proposed mechanism for showing the CAPTCHA is in this patch (T20110: Define AbuseFilter consequence to display a CAPTCHA).

Tchanders subscribed.May 14 2024, 11:33 AM
Tchanders edited projects, added Temporary accounts (Update MediaWiki Core to introduce temp accounts); removed Temporary accounts.Jun 11 2024, 4:54 PM
kostajh moved this task from Update MediaWiki Core to introduce temp accounts to Create/update essential tools/anti-abuse management on the Temporary accounts board.Jul 3 2024, 10:07 AM
kostajh edited projects, added Temporary accounts (Create/update essential tools/anti-abuse management); removed Temporary accounts (Update MediaWiki Core to introduce temp accounts).
kostajh claimed this task.Jul 3 2024, 7:15 PM
Niharika subscribed.Jul 23 2024, 10:14 AM

@kostajh Are you actively working on this task? Did we establish what the Xs and Ys will be for the signals listed in the description?

kostajh added a comment.Jul 25 2024, 10:24 AM
In T357778#10006156, @Niharika wrote:

@kostajh Are you actively working on this task?

I've claimed it only because the mechanism for this work is via T20110: Define AbuseFilter consequence to display a CAPTCHA, which I am moving forward. I'll unclaim it, though, because in retrospect there are some other actionables here.

Did we establish what the Xs and Ys will be for the signals listed in the description?

We did not. But I think this could be in the hands of AbuseFilter maintainers, after we define the variables they can use for this.

I think what needs to be done to meet the examples in the description is:

scenariotask
the user's IP is known to iPoid-ServiceT354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter
the user's IP is linked with X number of temp account creations in the last Y minutesnew task needed to create an AbuseFilter variable for "IP linked with {threshold} account creations in {threshold} time"
the user's IP is linked with X number of temp account edits in the last Y minutesnew task needed to create an AbuseFilter variable for "IP linked with {threshold} temp account edits in {threshold} time"
kostajh removed kostajh as the assignee of this task.Jul 25 2024, 10:24 AM
kostajh renamed this task from Require logged-out users to complete a CAPTCHA on temporary account creations in certain circumstances to Provide ability to require logged-out users to complete a CAPTCHA on temporary account creations in certain circumstances.Aug 27 2024, 9:39 AM
kostajh closed this task as Resolved.Aug 27 2024, 11:50 AM
kostajh claimed this task.
In T357778#10014107, @kostajh wrote:
In T357778#10006156, @Niharika wrote:

@kostajh Are you actively working on this task?

I've claimed it only because the mechanism for this work is via T20110: Define AbuseFilter consequence to display a CAPTCHA, which I am moving forward. I'll unclaim it, though, because in retrospect there are some other actionables here.

Did we establish what the Xs and Ys will be for the signals listed in the description?

We did not. But I think this could be in the hands of AbuseFilter maintainers, after we define the variables they can use for this.

I think what needs to be done to meet the examples in the description is:

scenariotask
the user's IP is known to iPoid-ServiceT354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter
the user's IP is linked with X number of temp account creations in the last Y minutesnew task needed to create an AbuseFilter variable for "IP linked with {threshold} account creations in {threshold} time"
the user's IP is linked with X number of temp account edits in the last Y minutesnew task needed to create an AbuseFilter variable for "IP linked with {threshold} temp account edits in {threshold} time"

I'll make tasks for this. Otherwise, this task is resolved, as the ability to require a CAPTCHA as part of the temporary account creation flow was done in T20110: Define AbuseFilter consequence to display a CAPTCHA.

kostajh mentioned this in T374521: Create AbuseFilter variable for number of temporary account creations in the last hour from an IP.Sep 11 2024, 9:55 AM
kostajh mentioned this in T374522: Create AbuseFilter variable for number of temporary account edits in the last hour from an IP.Sep 11 2024, 9:57 AM
In T357778#10095552, @kostajh wrote:
In T357778#10014107, @kostajh wrote:
In T357778#10006156, @Niharika wrote:

@kostajh Are you actively working on this task?

I've claimed it only because the mechanism for this work is via T20110: Define AbuseFilter consequence to display a CAPTCHA, which I am moving forward. I'll unclaim it, though, because in retrospect there are some other actionables here.

Did we establish what the Xs and Ys will be for the signals listed in the description?

We did not. But I think this could be in the hands of AbuseFilter maintainers, after we define the variables they can use for this.

I think what needs to be done to meet the examples in the description is:

scenariotask
the user's IP is known to iPoid-ServiceT354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter
the user's IP is linked with X number of temp account creations in the last Y minutesnew task needed to create an AbuseFilter variable for "IP linked with {threshold} account creations in {threshold} time"
the user's IP is linked with X number of temp account edits in the last Y minutesnew task needed to create an AbuseFilter variable for "IP linked with {threshold} temp account edits in {threshold} time"

I'll make tasks for this. Otherwise, this task is resolved, as the ability to require a CAPTCHA as part of the temporary account creation flow was done in T20110: Define AbuseFilter consequence to display a CAPTCHA.

Filed as T374521: Create AbuseFilter variable for number of temporary account creations in the last hour from an IP and T374522: Create AbuseFilter variable for number of temporary account edits in the last hour from an IP

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits