Page MenuHomePhabricator
Create Task
Maniphest T390051

CheckUser login: Some failed login events appearing as logging into an IP address
Closed, ResolvedPublic
Actions

Description

Summary

Several users have reported seeing IP addresses as the username for failed login attempts in CheckUser. We should investigate the cause and fix the issue so that the username entered is displayed.

Background

  • The CheckUser extension allows users to see failed login attempts on accounts
  • Some of these failed login attempts on WMF wikis are appearing where the username is the IP address used to make the login attempt
  • This should not be occurring as it is unlikely that users are entering their actual IP address in when attempting to sign in to an account

Acceptance criteria

  • The cause of these incorrect events is determined
  • The events no longer appear as incorrect

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
AuthManager: Don't use anon for audit hook if autocreation failedmediawiki/coremaster+27 -1
CheckUserPrivateEventsHandler: Update warning for failed login to IPmediawiki/extensions/CheckUsermaster+1 -2
Warn when login log is created for login to IP addressmediawiki/extensions/CheckUsermaster+44 -0
Customize query in gerrit

Event Timeline

Dreamy_Jazz created this task.Mar 26 2025, 12:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 26 2025, 12:48 PM
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Apr 3 2025, 11:23 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)); removed Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)).May 5 2025, 6:50 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 5 2025, 7:01 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).May 21 2025, 1:41 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)); removed Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).Jul 7 2025, 9:47 AM
kostajh subscribed.Jul 17 2025, 5:04 PM

@Dreamy_Jazz are these user reports still occurring? Are there recent examples you can link in a private paste?

Dreamy_Jazz added a comment.Jul 17 2025, 5:21 PM
In T390051#11014433, @kostajh wrote:

@Dreamy_Jazz are these user reports still occurring? Are there recent examples you can link in a private paste?

A rough count suggests about ~9,000 of these invalid failed logins in the last 90 days just on the English Wikipedia. Today there were 64 of these on the English Wikipedia. Added more detail to P79351.

Dreamy_Jazz added a comment.Jul 17 2025, 6:42 PM

I think the first step we could take is to create a logstash log for debugging purposes when this happens. That would likely help us find where the issue is coming from.

Dreamy_Jazz claimed this task.Jul 17 2025, 6:55 PM
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.
gerritbot added a comment.Jul 17 2025, 7:33 PM

Change #1170413 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Warn when login log is created for login to IP address

https://gerrit.wikimedia.org/r/1170413

gerritbot added a project: Patch-For-Review.Jul 17 2025, 7:33 PM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.Jul 17 2025, 7:42 PM
Dreamy_Jazz moved this task from Needs Review to Ready on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.Jul 17 2025, 8:18 PM

Need to wait until we start getting logs sent our way and then we can pick this task back up.

gerritbot added a comment.Jul 17 2025, 8:26 PM

Change #1170413 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Warn when login log is created for login to IP address

https://gerrit.wikimedia.org/r/1170413

Maintenance_bot removed a project: Patch-For-Review.Jul 17 2025, 8:31 PM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.11; 2025-07-22).Jul 17 2025, 9:00 PM
Dreamy_Jazz moved this task from Ready to Priority Backlog on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.Jul 18 2025, 10:34 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)); removed Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)).Jul 28 2025, 4:37 AM
Dreamy_Jazz added a comment.EditedJul 29 2025, 2:56 PM

This appears to be caused by:

  • The IP address of the user is blocked on a local wiki
  • An existing user attempts to login on a wiki where they do not have a local account
  • The login fails because the autocreation is denied by the local IP block

This appears to be a bug where:

  • AuthManager::autoCreate to resets the $user to an anon user if the autocreation fails
  • This means that the AuthManagerLoginAuthenticateAudit hook run uses the anon user for the "User being authenticated against"

Fixing it so that the $user object passed to the hook is the user which was being authenticated against should address this problem.

gerritbot added a comment.Jul 29 2025, 3:31 PM

Change #1173962 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/core@master] AuthManager: Don't use anon for audit hook if autocreation failed

https://gerrit.wikimedia.org/r/1173962

gerritbot added a project: Patch-For-Review.Jul 29 2025, 3:31 PM
Dreamy_Jazz moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Jul 29 2025, 3:32 PM
gerritbot added a comment.Jul 29 2025, 3:37 PM

Change #1173963 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] CheckUserPrivateEventsHandler: Update warning for failed login to IP

https://gerrit.wikimedia.org/r/1173963

gerritbot added a comment.Jul 31 2025, 3:23 PM

Change #1173963 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] CheckUserPrivateEventsHandler: Update warning for failed login to IP

https://gerrit.wikimedia.org/r/1173963

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.13; 2025-08-05); removed MW-1.45-notes (1.45.0-wmf.11; 2025-07-22).Jul 31 2025, 4:00 PM
gerritbot added a comment.Jul 31 2025, 5:29 PM

Change #1173962 merged by jenkins-bot:

[mediawiki/core@master] AuthManager: Don't use anon for audit hook if autocreation failed

https://gerrit.wikimedia.org/r/1173962

Maintenance_bot removed a project: Patch-For-Review.Jul 31 2025, 5:31 PM
hector.arroyo subscribed.Aug 1 2025, 10:42 AM

I see all patches associated with this task have been already merged, and T390051#11043496 suggests the cause for the error was already found and fixed by those patches (1173962). Should this be moved forward for QA?

In T390051#11043496, @Dreamy_Jazz wrote:

This appears to be caused by:

  • The IP address of the user is blocked on a local wiki
  • An existing user attempts to login on a wiki where they do not have a local account
  • The login fails because the autocreation is denied by the local IP block

This appears to be a bug where:

  • AuthManager::autoCreate to resets the $user to an anon user if the autocreation fails
  • This means that the AuthManagerLoginAuthenticateAudit hook run uses the anon user for the "User being authenticated against"

Fixing it so that the $user object passed to the hook is the user which was being authenticated against should address this problem.

kostajh moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 1 2025, 11:42 AM

Moving to QA, we can verify when wmf.13 is in production next week.

Dreamy_Jazz added a comment.Aug 1 2025, 12:16 PM

It is possible that we find other instances when the log is created, so this may need to move back to in progress if we see more logs.

OKryva-WMF triaged this task as Low priority.Aug 1 2025, 1:47 PM
Dreamy_Jazz added a comment.EditedAug 7 2025, 3:58 PM

It looks like the fix to AuthManager may have done it, but want to verify next week that we see no entries in cu_private_event which are an issue in enwiki from today.

Dreamy_Jazz closed this task as Resolved.EditedAug 11 2025, 12:34 PM

We can skip QA because we are no longer seeing these kinds of events in cu_private_event on WMF production enwiki:

(enwiki)> select count(*) from cu_private_event where cupe_log_action = 'login-failure' and cupe_title = cupe_ip and cupe_timestamp > '20250808000000';
+----------+
| count(*) |
+----------+
|        0 |
+----------+

We can leave the warning in the code in case this happens again through a regression.

Dreamy_Jazz moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 11 2025, 12:35 PM
Dreamy_Jazz updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits