Page MenuHomePhabricator
Create Task
Maniphest T386978

Blocked Wikidata user sockpuppets are doing automated misconduct with QuickStatements
Open, MediumPublicBUG REPORT
Actions

Description

Some blocked Wikidata users may be doing misconduct in the form of doing maximal automated edits in QuickStatements. This does not seem to be a crisis as the editing is blocked. I do not see a negative editing outcome for this activity, but I think the intent is to consume computing resources. It seems to be doing something with large automated batches of edit requests that do not result in Wikidata edits. This is a case of active misconduct and may be some kind of security issue.

Steps to replicate the issue (include links if applicable):

  • Sorry, I am just reporting based on what I read in a Wikidata thread. I do not have technical understanding of what might be happening.

What happens?:

A Wikidata blocked user is able to use a Wikidata automated tool, QuickStatements. I think what is happening is that QuickStatements first allows anyone to make automated edit requests, then after they make many requests, it finally checks at the end whether the user is blocked. Consequently, it processes many thousands of requests, then cancels them after they are set up.

What should have happened instead?:

QuickStatements should first check whether a user is blocked, and if they are, prohibit use of tools.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Event Timeline

Bluerasberry created this task.Feb 20 2025, 9:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 20 2025, 9:59 PM
Daniel_Mietchen updated the task description. (Show Details)Feb 20 2025, 10:01 PM
Daniel_Mietchen subscribed.
Bluerasberry updated the task description. (Show Details)Feb 20 2025, 10:03 PM
Bluerasberry updated the task description. (Show Details)
Bluerasberry updated the task description. (Show Details)Feb 20 2025, 10:05 PM
Bluerasberry updated the task description. (Show Details)
Bluerasberry updated Other Assignee, added: Magnus.
Bluerasberry updated Other Assignee, removed: Magnus.
Bluerasberry added a subscriber: Magnus.
A_smart_kitten added a project: Tools.Feb 20 2025, 10:14 PM
Daniel_Mietchen renamed this task from blocked Wikidata user doing automated misconduct with QuickStatements to Blocked Wikidata user sockpuppets are doing automated misconduct with QuickStatements.Feb 21 2025, 6:15 PM
Daniel_Mietchen added projects: Persona-Vandal, Security.
Daniel_Mietchen updated the task description. (Show Details)
Epidosis subscribed.Feb 22 2025, 6:20 PM

By the way, restoring the right for Wikidata administrators to block batches in QuickStatements would mitigate the issue; this function ceased to work many years ago.

Epidosis added a comment.Feb 23 2025, 12:26 AM

Reported to Magnus Manske (https://www.wikidata.org/w/index.php?title=User_talk:Magnus_Manske&diff=prev&oldid=2315516746).

Daniel_Mietchen triaged this task as Medium priority.Mar 14 2025, 4:26 PM
Bluerasberry added a comment.EditedMar 21 2025, 10:54 PM

The misconduct persists. Reported again at Wikidata ANI

https://www.wikidata.org/wiki/Wikidata:Administrators%27_noticeboard#Report_concerning_User%3AVerifyToday

Wustenspringmaus subscribed.EditedMar 24 2025, 3:09 PM

As admins on WD, we still can't stop the batches.

RhinosF1 subscribed.Apr 3 2025, 3:45 PM
taavi merged a task: Restricted Task.Apr 3 2025, 3:49 PM
taavi added subscribers: taavi, Lucas_Werkmeister_WMDE, sbassett.
taavi removed a project: Persona-Vandal.Apr 3 2025, 3:53 PM

Following up from my comments from the private duplicate: if the only impact from those users is that they're DoSing the tool itself then we have nothing that we could easily do from either the Toolforge infrastructure or the MediaWiki side. So that needs to be fixed by the maintainers of that tool. If the tool is down and maintainers are active, then https://wikitech.wikimedia.org/wiki/Help:Toolforge/Abandoned_tool_policy could be used to adopt the tool.

matej_suchanek subscribed.Apr 5 2025, 1:57 PM
In T386978#10573119, @Epidosis wrote:

By the way, restoring the right for Wikidata administrators to block batches in QuickStatements would mitigate the issue; this function ceased to work many years ago.

https://github.com/magnusmanske/quickstatements/pull/62

matej_suchanek added a comment.Apr 7 2025, 5:13 PM
In T386978#10573119, @Epidosis wrote:

By the way, restoring the right for Wikidata administrators to block batches in QuickStatements would mitigate the issue; this function ceased to work many years ago.

In T386978#10668792, @Wustenspringmaus wrote:

As admins on WD, we still can't stop the batches.

At least now we can. I could stop all the batches by VerifyToday.

Magnus added a comment.Apr 8 2025, 7:06 AM

FWIW I added a check on every ~20s batch edit (to not overload the Wikidata API) if the user is blocked, which should then block all batches by this user. Please let me know if this is effective, or if it has unintended side effects.

Aklapper added a comment.Apr 8 2025, 9:25 AM

@Magnus: Could you please provide a link to that changeset/patch? Thanks.

Magnus added a comment.Apr 8 2025, 2:47 PM

@Aklapper https://github.com/magnusmanske/quickstatements_rs/commit/3e50c3a9356e1ddc34a0de7cfd345a4a78b51be5

Bugreporter subscribed.Apr 13 2025, 2:34 PM

Only checking whether the user is blocked only when an edit fails would be better.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits