Investigate what to do about the AbuseFilter log revealing someone's IP address via historical logs
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Tchanders
	May 15 2024, 5:45 PM

Description

Background

T363906 introduces the concept of variables that have PII, specifically a user_unnamed_ip variable, for use when temporary accounts are enabled, since user_name will no longer be the IP address. (This will not be available for fully registered users, just temporary users.)

The IP address in the filter and the filter details will only be readable by users who have access to reveal IP addresses. As will the logs for that filter being triggered. In accordance with our policy of deleting IP addresses after a fixed time, the value will be stored in afl_ip (separately from the rest of the data, in afl_var_dump), so that it can be purged after the fixed time.

However, as it stands, logs will be visible forever, so whoever can read a filter containing the IP address can see who triggered the filter from that address or range.

Is this a problem?

This was mentioned up in T363906#9782548.

There's a comparable case in CheckUser, where it can be accurately guessed from the CheckUser logs which users are associated with which IP addresses, even after the IPs have been removed. This case is arguably worse, if the barrier to triggering a filter is lower than the barrier to triggering a CheckUser investigation.

What can be done?

Some suggestions:

Do nothing
Purge any logs for filters containing IP addresses after a time
Remove the filter ID from any logs for filters containing IP addresses after a fixed time

Related Objects
Search...

Status	Assigned	Task
In Progress	Niharika	T324492 Temporary accounts - MVP
Open	None	T326816 Update features for temporary accounts
Open	Tchanders	T326869 Update TSP-owned products that may be affected by IP Masking
Resolved	lbowmaker	T262321 IP Masking
Resolved	tstarling	T300263 [IP Masking] Create temporary account on first edit
Open	None	T307060 [Epic] Temporary account AbuseFilter support
Open	STran	T357772 Investigate: How will `ip_in_range` and `ip_in_ranges` function when temporary accounts are enabled
Open	STran	T363906 Ensure filters that use PII-sensitive variables are protected
Resolved	kostajh	T365049 Investigate what to do about the AbuseFilter log revealing someone's IP address via historical logs

Event Timeline

Thanks @Dreamy_Jazz for discussing this with me.

Tchanders updated the task description. (Show Details)May 21 2024, 11:36 AM

kostajh updated the task description. (Show Details)Tue, Jun 11, 11:33 AM

After discussing with @STran, our thoughts are:

Go with the "Do nothing" approach mentioned in the task description
Rely on the logging we implement in T365743: Log when AbuseFilter user sees IP address associated with temp account via user_unnamed_ip variable trigger to detect misuse / abuse of this information

The "do nothing" approach could be changed at some later point in time, given more time/resources to work on the problem.

cc @Tchanders @Dreamy_Jazz

Thanks @kostajh , @STran . That makes sense to me.

kostajh closed this task as Resolved.Mon, Jun 24, 9:44 AM

kostajh claimed this task.

Investigate what to do about the AbuseFilter log revealing someone's IP address via historical logsClosed, ResolvedPublicActions