Page MenuHomePhabricator

CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them
Closed, ResolvedPublic2 Estimated Story PointsSecurity

Description

If a user with the checkuser group, but not the suppressor group, performs a 'ipusers` CheckUser API request on an IP address which has been used by a user that has been blocked with hideuser, then the username of the hidden user will be displayed.

Note: This was an issue before the refactoring done in T341827, and so that ticket has not caused this (in fact it fixed log entries having deleted information displayed).

For example:

The block entry with hideuser setThe leak in the ipusers check typethe leak in the actions check typeThe contributions page for that hidden user
image.png (96×1 px, 39 KB)
image.png (508×1 px, 58 KB)
image.png (454×1 px, 61 KB)
image.png (304×1 px, 28 KB)
Steps to reproduce
  1. Block a user with hideuser enabled using an account with the suppressor group
  2. Log into an account with just the checkuser group
  3. Open Special:ApiSandbox and select action as query, list as checkuser, and then curequest as ipusers or actions
  4. Provide the check target as an IP address used by the account that was blocked in step 2
  5. Run the check
  6. Search for the username of the blocked user

Event Timeline

Dreamy_Jazz renamed this task from CheckUser API for the 'ipusers' request type shows hidden usernames to those who cannot see them to CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them.Mar 28 2024, 8:41 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz set the point value for this task to 2.Apr 2 2024, 11:29 AM

In general, as a user with 'checkuser' but not 'hideuser' I can search for the IPs of a hidden user's username and see the same results as if I had 'hideuser' (via the API and Special:CheckUser). I would have to guess their name correctly, of course. Is this a problem worth fixing?

In general, as a user with 'checkuser' but not 'hideuser' I can search for the IPs of a hidden user's username and see the same results as if I had 'hideuser' (via the API and Special:CheckUser). I would have to guess their name correctly, of course. Is this a problem worth fixing?

Considering that Special:Log will show the log entries matching a hidden username if you search by the exact username and that checks are logged, I think the risk of someone guessing usernames to find a hidden username is low and also a user who already knows the username doesn't have the information leaked to them by the CheckUser interfaces (because they know the username).

Change #1017095 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1017095

Change #1017095 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1017095

Change #1016884 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_41] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1016884

Change #1016885 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1016885

Change #1017126 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1017126

Change #1016884 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_41] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1016884

Change #1016885 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1016885

Change #1017126 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1017126

I suppress blocked every user on my wiki, but made sure all revisions, logs and archived revisions were visible (deleted value of 0). I then ran the CheckUser API for every username and IP in cu_changes. I could only see suppressed usernames in the "summary" of the actions request type.

When I then change the visibility of revisions and logs to deleted I do not see any usernames in the API response.

Test environment: Local docker CheckUser 2.5 (10af857) 15:58, 4 April 2024.

I have removed the patch from the deployment server since it got merged and made its way to the MediaWiki deployment train this week.

mmartorana renamed this task from CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them to CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them.Jul 8 2024, 5:32 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 10 2024, 8:51 AM