Page MenuHomePhabricator

Temporary accounts may be subject to a Denial Of Service attack
Closed, InvalidPublicSecurity

Description

I'm thinking of the situation like an edit-a-thon, wiki conference, or school where a large number of people will be behind a single IP address. If I'm understanding the mechanism correctly, an IP user could make an edit, generating a temporary account, then delete their browser cookies to remove the local record of the account. When they perform the next edit, another temporary account will be generated. Repeat until the temporary account generation rate limit is reached, which I believe is by default some fairly small value like 6. This will effectively DOS all IP editors at the event.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

https://meta.wikimedia.org/wiki/Mass_account_creation#Requesting_temporary_lift_of_IP_cap should apply in a similar fashion...

And arguably, could also already be abused in the same way with a user creating N new accounts...

Thanks for raising the task, @RoySmith.

If I'm understanding the mechanism correctly, an IP user could make an edit, generating a temporary account, then delete their browser cookies to remove the local record of the account. When they perform the next edit, another temporary account will be generated. Repeat until the temporary account generation rate limit is reached, which I believe is by default some fairly small value like 6. This will effectively DOS all IP editors at the event.

Yeah, the solution is what @Reedy pointed to https://meta.wikimedia.org/wiki/Mass_account_creation#Requesting_temporary_lift_of_IP_cap. Note that there is a separate rate limit available for temporary account creation. There is also T357802: Prompt user to create a regular account after temp account creation rate limit trip as a UX improvement for users who face the rate limit.

We looked into how often the rate limit might be tripped in T342880: Decide what the rate limit should be for temporary account creations and T357771: Analyze how many distinct devices edit per day from a given IP address. We can also observe how often rate limits for temporary account autocreation are tripped on this dashboard https://grafana.wikimedia.org/d/e293b3fd-032f-4915-a6c0-72b6062d66b5/temporary-accounts.

We will continue to keep an eye on it, but it seems like the situation is OK.

sbassett subscribed.

@kostajh @Reedy - Anything keeping this from being made public at this point? Thanks.

If you guys think it's OK to make public, I have no objection.

sbassett triaged this task as Low priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.