Hi @Niceguy169, thanks for taking the time to report this! Could you elaborate what makes this a security issue?

In T375989#10187181, @Aklapper wrote:

Hi @Niceguy169, thanks for taking the time to report this! Could you elaborate what makes this a security issue?

I'd agree that this doesn't need to be a security task and is more a feature request/bug fix for MediaWiki-extensions-LoginNotify, which already has a decent backlog at this point and isn't very actively-maintained these days AFAIK. I'm not sure how this issue could be actively exploited by an attacker aside from maybe leveraging knowledge of the bug for separate social-engineering attacks.

I felt this counted as Security since security is the reason we get logged out, and security is the reason for the email. Both are to protect the security of Wikipedia accounts. If there was no need to secure against malicious activity, there's no need to log us out, this is to make sure a malicious party doesn't find us logged in and do things in our name. And the email is to alert us of a login, in case someone else managed to login as us, then same thing, could make malicious edits in our name. Also, these security features making mistakes suggests potential for a minor security breach, if this isn't working right there might be something to exploit in this. As sbassett stated I can't see the exploit, but I'm not someone who makes a habit of using exploits, so that doesn't mean there isn't one. Feels better to fix it to be sure.

Honestly, when it comes to Wikipedia, I can't think of anything else that IS security, what other Wikipedia security is there, other than protecting accounts and protecting the integrity of articles (via protecting accounts)? I'm a little surprised I had to explain how a security feature flaw is a security issue.

Checking that link now... these features/actions are to prevent "a hostile set of actions or campaign" (Point 1), to protect "the integrity of data hosted by the Wikimedia Foundation or affiliated entities)" from becoming "at risk of being corrupted, tampered with, or otherwise modified in an unauthorized manner." (Point 2) - logins is what makes things authorized - and protecting "the confidentiality of data owned by the Wikimedia Foundation" - things only visible to me like my settings, and I assume there's an Edit History (again, what other private information IS there?) - to prevent "information meant to be restricted or private is leaked" (Point 3). When these functions are flawed it is a crack in the security.

Sorry, this is quite valid, and I hesitate to believe these issues are sufficiently covered in existing bug reports, or such obvious errors would have been fixed immediately, most of it is not difficult. "Up to one year" is nitpicking, seeing as this stuff isn't flexible. These expiring cookies get a specific end date, it isn't fuzzy, computers are specific. I don't think it said "up to", but if it does that's intentional lying unless it actually IS a year (no matter the precise wording, sorry). All the same arguments go to the place that said 180 days. If that's not the specific length - it was worded like it is - that's also a lie. If it's accurate, the checkbox is a lie. SOMETHING needs fixing, only devs who can see the code can confirm the actual truth.

No, this is NOT for 3 unsuccessful logins. Firstly, what I read said 5 for a recognized device, some other number for unrecognized, and either way it's a different email than what I got. THAT one SAYS there were unsuccessful attempts made. If I had gotten THAT I wouldn't have reported it, I'd know I messed up my password (or more likely Wikipedia did). I'm too tech savvy to be getting such disrespect from you. Complaining like an entitled nitwit for my own error would be asking for ridicule. I'm reporting an actual issue here. I'm just doing my part to clean things up. I successfully logged in with my FIRST attempt on a well known device and got this email in error, which lied to me. Plain and simple. That's not acceptable. They want to report such a non-issue, it is deceptive to lie about it. There's a LOT that needs to be fixed here, and some of it is as simple as correcting the wording on some things (like that email and that checkbox), takes 5 minutes.

Oh, and no new IP address, same ISP, same hardware, same physical location (so even same wires). If my connection changes my IP - I believe some do - then they can't use it to identify whether a device is new, that's basic science and bureaucracy. An I.D. that changes is not a valid thing to check. Also, that's not how this works anyway (according to them), it's supposed to using the cookies. I said this. "New Device" is completely unambiguous, that's not a dodge you can make. Sorry, it is NOT "fair to say", actually. If that's not how they mean it, THAT needs to be fixed. It's not hard to adjust things so the login expires but it still recognizes the device. Then the email can say "Your login expired, you logged back in" (except that email would be just as useless). And until then, they don't word things like that. Again, someone who doesn't know enough about computers to recognize Wikipedia's error would think there's some serious problems because of these lies.

Look, this needs to be fixed, defending what's broken is just counterproductive.

I've made this task public as it isn't a security issue and might benefit from more eyes on it. LoginNotify is technically maintained by Community-Tech these days, though I don't believe it's a top priority for their team and hasn't been actively developed aside from very minor maintenace updates in some time. I'd note that there are also notification user prefs available to disable various LoginNotify communications for those users that find them unhelpful:

or such obvious errors would have been fixed immediately

No, see https://www.mediawiki.org/wiki/Bug_management/Development_prioritization (and https://www.mediawiki.org/wiki/How_to_become_a_MediaWiki_hacker if you're interested in writing a software change). Thanks.

We're all agreed, this is low priority, certainly. My assertion that it'd be fixed already is more because part of it is simply rewriting/rewording the email. No programming THERE, just changing the auto-mail. I wouldn't think this important at ALL if not for my vast experience with inexperienced users panicking over things like this (just today a friend Facebook messaged me the same meme twice so deleted one, got a warning something like "You just deleted a message, this means your recipient won't see it. However, it will still appear on reports", this concerned her enough to send me a screenshot and telling me what happened, she was worried what it might mean. Highlights how it's good to use clear wording).

As for contributing, that is indeed an intriguing concept, I'll take a look at that later.

Preferences, it's certainly good to have, but turning them off just means I don't get the messages, it doesn't fix them or their triggers. In reality these messages aren't actually a problem for me, I know the truth, my device isn't new, the email is incorrect and I can freely ignore it. I reported this on behalf of the people who'd get worried because of these emails. People who DON'T know better, and don't know what to do about it or who to ask. "I always browse Wikipedia on this computer, it was fine yesterday, why am I suddenly logged out? Why did I have to log back in? Why is it saying it's a new device now???", etc. Better to avoid freaking them out.

LoginNotify doesn't provide many messages, and are in many cases trivially updateable (with some of the links provided above... You can almost certainly do it via the gerrit UI)

	"loginnotify-desc": "Notify users about suspicious logins from unfamiliar devices and/or IP addresses",
	"echo-category-title-login-fail": "Failed login attempts",
	"echo-pref-tooltip-login-fail": "Notify me when there have been failed attempts to log in to my account.",
	"echo-category-title-login-success": "Login from an unfamiliar device",
	"echo-pref-tooltip-login-success": "Notify me whenever somebody logs into my account from an unfamiliar device and IP address.",
	"loginnotify-primary-link": "Help",
	"notification-loginnotify-login-fail-email-subject": "{{PLURAL:$2|Failed attempt|Multiple failed attempts}} to log in to {{SITENAME}} as $1",
	"notification-loginnotify-login-success-email-subject": "Login to {{SITENAME}} as $1 from a device {{GENDER:$1|you}} have not recently used",
	"notification-header-login-success": "Someone (probably {{GENDER:$1|you}}) recently logged in to your account from a new device. If this was you, then you can disregard this message. If it wasn't you, then it's recommended that you change your password, and check your account activity.",
	"notification-new-bundled-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''$1 failed attempts'''}} to log in to your account from a new device since the last time you logged in. If it wasn't you, please make sure your account has a strong password.",
	"notification-known-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''$1 failed attempts'''}} to log in to your account since the last time you logged in. If it wasn't you, please make sure your account has a strong password.",
	"notification-new-unbundled-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''multiple failed attempts'''}} to log in to your account from a new device. Please make sure your account has a strong password."

If you want to propose specific improvements, that often can be easier to see what changes/impact that may have.

In T375989#10205171, @Reedy wrote:

If you want to propose specific improvements, that often can be easier to see what changes/impact that may have.

@Niceguy169 - if you have some suggestions for the above messages that @Reedy provided, feel free to discuss them here and I can help get a simple patch up to gerrit for review, if you'd like.

Of course it would be more desirable to fix the detection of a new device - and, frankly, I don't have the insider knowledge of what caused my recognition to die. My guess is that while I logged in a few months ago, THAT logout was just something logging me out automatically on occasion, while THIS was my cookie expiring and getting deleted.

So, the trigger in question was "notification-header-login-success". With the current way it works, I would propose something like: "Someone (probably {{GENDER:$1|you}}) recently logged in to your account from a new device (or a device whose recognition expired). If this was you...". So, include admitting that KNOWN devices can be seen as new.

There's been some issues with login sessions barely lasting days, as part of some other login improvements being made. That's not specific to this extension, and unfortunately things happen.

Note also, as per our privacy policy, we only keep PII for 90 days, so we can't/won't keep track of your used browsers etc forever. So cookies etc help, and if for some reason that disappeared.. Well, there's little we can do.

This also doesn't preclude anything else changing on your side (browser updates changing versions etc), which doesn't mean it's known to us anymore.

There's many things at play.

If you can narrow down a more reproducible case, and/or it's happening much more frequently for you, or for others too, that's a different story.

I can have a look at the logs at some point, and see if it makes it more obvious what triggered it in your specific case. It may be that they're not granular enough in this case (which is potentially a bug in itself)

Similar to what you're suggesting in terms of the message, I believe I've seen other sites (Facebook maybe?) use some wording like "that we haven't seen in a while", rather than just saying that it may be a new device

Obviously changes on my end COULD affect things, which I would have taken into consideration (I AM technically-minded), but the only thing that changed is browser updates, which shouldn't have an impact - part of the point of cookies, it's a standard across browsers and all their versions. All my hardware has been the same, except adding a secondary storage hard drive which I think predates this (i.e. same primary hard drive).

It just seems like there SHOULD be some possibility, like when the cookie expires to leave some evidence that it was there, that this WAS a recognized device. Or one cookie maintaining the login for the set period of time, and a second longer lasting or non-expiring cookie identifying this as a Recognized Device. (I've made webpages but never have gotten into creating them to create and use cookies, so I'm just using my programmer knowledge to think what should be possible. For example, I feel certain I've seen websites use multiple cookies, and I believe there ARE infinite cookies and some control over expiry dates. Having a Recognized Device cookie last even a month longer than the Login cookie would solve this pretty effectively).

Reproducibility, ah, that's the problem. I was a game tester, I know well the value of being able to reproduce. But there'd only be deleting the cookie(s) (which then would be expected behaviour) or waiting until the next logout, see what warning/email that triggers. Except the trigger in question is absolutely identified without doubt in my last message - that is indeed the wording of the email I complained about - and the wording will obviously stay the same until someone edits it, so the two things being asked here is a message that will be clearer to the uninitiated (easily done) and a request to better/longer identify known devices (which doesn't require reproducing, it seems clearly established that after a certain point a device stops being "recognized", solutions would be to either find a way to keep them recognized, or find a way to recognize that it WAS recognized, to treat it accordingly, and speak about it as such, like my suggested wording edit above).

OOI, do you use the Android Wikipedia app?

(Heh, I got logged out here, checkbox says "Keep me logged in (for up to 365 days)"... We can all see I was logged in more recently than THAT, my first login was creating this thread)

I didn't realize Wikipedia HAS an app, I do my Wikipedia browsing and editing in browsers (Safari when I'm on this iPad)

In T375989#10324766, @Niceguy169 wrote:

(Heh, I got logged out here, checkbox says "Keep me logged in (for up to 365 days)"... We can all see I was logged in more recently than THAT, my first login was creating this thread)

There's a separate, public task dealing with these types of logout issues: T372702.