Page MenuHomePhabricator
Create Task
Maniphest T380666

external links spoofing diff links?
Open, Needs TriagePublicSecurity
Actions

Description

external links looking identical or near-identical to diffs can potentially be exploited
eg:

"Look at these vandal diffs:
[https://en.wikipedia.org/w/index.php?title=Wikipedia:Administrators%27_noticeboard/Incidents&diff=prev&oldid=0000000000] [https://en.wikipedia.org/w/index.php?title=Example&diff=0000000000&oldid=0000000000] [etc diffs] [http://en.wikipebia.biz/wiki/Special:Nuke/ClueBot] [irc://w3.org:6667] https://en.wikipedia.org/wiki/Special:UserLogoutUser]][https://en.wikipedia.org/w/index.php?title=Wikipedia:Adrninitsrators%27_noticeboard/lncidents&diff=prev&oldid=0000000000] something ~~~~"

at least some users when given a lot of diffs (like 5 or more) click them fast to open in new tabs without looking very closely at each url

fake el can be used maliciously (list of obvious examples goes here)

  • this may (?) be done with templates or css

suggest making external links visually different not only in color (because that doesn't help users who override colors for accessibility, with customized stylesheets? etc)

  • in text, such as [1] [2] [3] [ 4-ext ] [5], the 4th being marked differently
  • displaying full url if not on a wikimedia site
  • making external links non-clickable but text
  • text in fixed-width font without homoglyphs
  • other solutions etc

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

Skullers created this task.Sat, Nov 23, 2:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSat, Nov 23, 2:50 AM
sbassett edited projects, added SecTeam-Processed, MediaWiki-Engineering; removed Security-Team.Mon, Nov 25, 5:22 PM
sbassett subscribed.

This is low-risk and would be a UI improvement.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.Mon, Nov 25, 5:23 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Aklapper added a project: MediaWiki-General.Mon, Nov 25, 5:28 PM
Skullers closed this task as Resolved.Mon, Nov 25, 6:40 PM
Skullers triaged this task as Low priority.
Skullers updated the task description. (Show Details)
JJMC89 reopened this task as Open.Mon, Nov 25, 6:45 PM
JJMC89 raised the priority of this task from Low to Needs Triage.
JJMC89 updated the task description. (Show Details)
Skullers unsubscribed.Mon, Nov 25, 8:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits