Page MenuHomePhabricator
Create Task
Maniphest T391194

CheckUser displays low-entropy client hints for login actions by Android devices running Chrome
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Log in to Wikipedia using an Android device and the latest Chrome version (135)
  • Run CheckUser on the account that logged in
  • Examine the Client Hint

What happens?:

  • CU displays platform ("Android"), major version (135), and mobile boolean information for the login action

What should have happened instead?:

  • CU displays mobile device model string, platform and version ("Android XX"), precise version (135.xxxx...), and mobile boolean information for the login action

Additional Information:

  • Testing was performed on enwiki, with the login being performed via the new auth.wikimedia.org domain introduced by SUL3.
  • I imagine this is an SUL3 teething issue, though if I understand T385572#10558044 and T381223 correctly, it's not an expected one.
  • Edit actions are unaffected. An Android/Chrome 135 device that logs in and performs an edit will show up with two different client hints in the CU table: One low-entropy (the login), one high-entropy (the edit).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ClientHints: Don't override SpecialPageBeforeExecute header handlingmediawiki/extensions/CheckUsermaster+175 -12
Customize query in gerrit

Related Objects

Event Timeline

Blablubbs created this task.Apr 6 2025, 3:14 PM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptApr 6 2025, 3:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Blablubbs updated the task description. (Show Details)Apr 6 2025, 3:15 PM
Blablubbs updated the task description. (Show Details)Apr 6 2025, 3:18 PM
Johannnes89 subscribed.Apr 6 2025, 6:47 PM
XXBlackburnXx subscribed.Apr 6 2025, 10:10 PM
Izno subscribed.Apr 7 2025, 3:27 AM
kostajh added a project: Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)).Apr 7 2025, 6:59 AM
kostajh added a project: SUL3.Apr 7 2025, 7:01 AM
kostajh subscribed.Apr 7 2025, 7:37 AM

The issue seems to be that onSpecialPageBeforeExecute sets the relevant Accept-CH headers, but then those are immediately unset in onBeforePageDisplay which consults the CheckUserClientHintsUnsetHeaderWhenPossible variable before setting Accept-CH to an empty string. I don't know why this would have worked in a pre-SUL3 rollout set up.

kostajh claimed this task.Apr 7 2025, 7:52 AM
gerritbot added a comment.Apr 7 2025, 8:27 AM

Change #1134631 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CheckUser@master] ClientHints: Don't override SpecialPageBeforeExecute header handling

https://gerrit.wikimedia.org/r/1134631

gerritbot added a project: Patch-For-Review.Apr 7 2025, 8:27 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)); removed Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)).Apr 7 2025, 8:27 AM
kostajh moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.
Blablubbs added a comment.Apr 9 2025, 5:33 PM

I don't know why this would have worked in a pre-SUL3 rollout set up.

It's quite possible that the problem does predate the rollout, and simply went unrecognised/unreported because in most cases, we'd have gotten the variables of interest from subsequent actions, and so might not have had much reason to give much thought to the low-entropy hint that was also provided. Looking through some historical notes, the earliest instances of low-entropy CHs being displayed in overview tables (that I could find) are from late '24/early '25 (hence pre-dating the rollout), but there are some earlier instances where no CH was provided at all (despite use of Chrome). Alas, the question is probably mostly academic -- thank you for tackling this so quickly, @kostajh .

matmarex moved this task from Backlog to Blocked / External on the SUL3 board.Apr 9 2025, 10:27 PM
gerritbot added a comment.Apr 10 2025, 7:41 PM

Change #1134631 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] ClientHints: Don't override SpecialPageBeforeExecute header handling

https://gerrit.wikimedia.org/r/1134631

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.25; 2025-04-15).Apr 10 2025, 8:00 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 10 2025, 8:30 PM
kostajh moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.Apr 11 2025, 12:34 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)); removed Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)).Apr 14 2025, 2:52 PM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)) board.
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)) board.Apr 29 2025, 8:18 AM
dom_walden subscribed.

Logging into https://test.wikipedia.org on a few different (emulated) Android devices, doing a CheckUser query against the username I see client hints like: Brand: Chromium 133.0.6943.137, Platform: Android 15.0.0. I guess this is what we wanted.

kostajh closed this task as Resolved.Apr 29 2025, 8:21 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits