Page MenuHomePhabricator
Create Task
Maniphest T361482

Issues changing password & logging in (primarily with Android Wikipedia mobile app)
Open, MediumPublicSecurity
Actions

Description

Via security@:

To Whom It May Concern,

I have experienced some issues changing my password and logging in to Wikipedia on Android.

I initially tried to change my password via the mobile site (en.m.wikipedia.org) in Microsoft Edge however when pressing "Change credentials" no further messages appear and the password is not changed.

I then attempted to change the password via the desktop site (en.wikipedia.org) in the same mobile browser which was successful.

I was wanting to submit a security report with some further information and troubleshooting so I attempted to replicate the issue in Google Chrome on the same device however when attempting to log in I initially received the following message:

"Central user log in
The provided authentication token is either expired or invalid."

After receiving this message I tried clearing the image & file cache and site data for wikipedia.org, and noticed that Chrome appears to open the Wikipedia Android app during the login process, so I updated the app to the latest version along with clearing its cache but leaving the stored data intact.

After having done this logging in through Google Chrome advises that the wikipedia site is logged in through a central login, however, when attempting to access the change password page it prompts to login again and when trying to do so, the same error appears as above "Central user log in
The provided authentication token is either expired or invalid."

I have tried setting Chrome as the default browser to avoid the process opening Edge however this results in the same error.

I then tried the process again in Edge after having cleared the stored data & cache for the Wikipedia app and it does login using the central user login, though when attempting to change the password via the mobile site it still displays the same behaviour where the page does not progress and the password is not changed.

I have also tried removing the account from the list of accounts on my device (listed as username:wikimedia) however this did not help.

As I was able to change my password via the desktop version of the site on my device, the change of password is not my primary concern, but the process using the mobile site along with the expired/invalid token messages.

Please let me know if there is anything else I can provide or if you might be aware of why this might be occurring.

Thank you for your assistance.

Kind Regards,
Ryan Putland.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

sbassett created this task.Apr 1 2024, 4:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 1 2024, 4:25 PM
sbassett added projects: Mobile, Wikipedia-Android-App-Backlog.Apr 1 2024, 4:28 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett added subscribers: Dbrant, Seddon, JTannerWMF.
RhinosF1 subscribed.Apr 1 2024, 4:54 PM
Dbrant added a comment.Apr 1 2024, 5:37 PM

@sbassett I'm not sure this requires custom policy or Security tags. It sounds like the user is simply having trouble changing their password and/or logging in, and decided to report to security@.

There does seem to be a valid issue in there, which is:
When logging in to Wikipedia from a browser app such as Chrome, and having the Wikipedia app installed, the app incorrectly intercepts the resulting URL and passes it back to the browser, resulting in a weird state where the browser says "The provided authentication token is either expired or invalid."

However, the good news is: when the user is on that page (which says "the token is expired or invalid"), they are in fact logged in. So you can tap on any of the buttons at the top of the webpage, e.g. the hamburger-menu, user-account button, search, etc, and navigate away from that page, and you should be logged in.

sbassett added a comment.Apr 2 2024, 4:44 PM
In T361482#9676929, @Dbrant wrote:

@sbassett I'm not sure this requires custom policy or Security tags. It sounds like the user is simply having trouble changing their password and/or logging in, and decided to report to security@.

That's fine, we can make this public. IIUC, it sounds like there might be some feature-enhancement work for you/Android team given the confusion that results from the competing browser and mobile apps?

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 2 2024, 4:44 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett removed projects: Security, Security-Team.
Dbrant added a comment.Apr 2 2024, 4:49 PM
In T361482#9681370, @sbassett wrote:

That's fine, we can make this public. IIUC, it sounds like there might be some feature-enhancement work for you/Android team given the confusion that results from the competing browser and mobile apps?

Yep, thanks, this will just be a matter of improving how the app handles certain URLs, particularly URLs that are part of the login sequence on web.

rputland subscribed.Apr 10 2024, 3:39 AM
JTannerWMF triaged this task as Medium priority.Apr 16 2024, 8:42 PM

I am going to move this to the backlog but at some point @Dbrant will investigate which URLs this is effecting

JTannerWMF moved this task from Needs Triage to Tech Debt Backlog on the Wikipedia-Android-App-Backlog board.Apr 16 2024, 8:43 PM
Dbrant added a comment.Apr 17 2024, 6:51 PM

At the end of the login sequence on mobile web, it redirects the user to /wiki/Special:CentralLogin/complete?token=...
The app intercepts this URL (because it's configured to intercept all paths that start with /wiki/). But once the app sees that this is a Special page, it bounces it back out to the browser app, but by this point the request is missing some crucial bits of state (headers? referer?) that cause it to show the strange error.

Unfortunately this can't be fixed easily at the moment because, frustratingly, the Android system doesn't let us exclude paths from our intent handler.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits