Page MenuHomePhabricator
Create Task
Maniphest T391634

Use more information in the EmailAuth logic to decide whether a login counts as risky
Open, Needs TriagePublic
Actions

Description

First, just log these bits of information. When we have some stats on frequency, we can consider what reaction would be appropriate.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
EmailAuth: Log privileges and recent activitymediawiki/extensions/WikimediaEventsmaster+163 -16
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Apr 10 2025, 9:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 10 2025, 9:09 PM
Tgr updated the task description. (Show Details)Apr 10 2025, 9:11 PM
gerritbot added a comment.Apr 10 2025, 9:13 PM

Change #1133144 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/WikimediaEvents@master] EmailAuth: Log privileges and recent activity

https://gerrit.wikimedia.org/r/1133144

gerritbot added a project: Patch-For-Review.Apr 10 2025, 9:13 PM
Johannnes89 subscribed.Apr 11 2025, 8:30 AM
kostajh subscribed.Apr 11 2025, 12:37 PM

whether the user has been active (on the current wiki; globally this seems hard)

I think we could use cuci_user which keeps track of CheckUser related activity.

kostajh added a comment.Apr 11 2025, 5:38 PM
In T391634#10733148, @kostajh wrote:

whether the user has been active (on the current wiki; globally this seems hard)

I think we could use cuci_user which keeps track of CheckUser related activity.

Although, I am not convinced that we should base the EmailAuth decision on user activity / inactivity. A user's level of activity doesn't help protect against credential stuffing attacks.

Tgr added a comment.Apr 11 2025, 7:47 PM
In T391634#10733148, @kostajh wrote:

I think we could use cuci_user which keeps track of CheckUser related activity.

Yeah that would work as long as we are fine with not being able to differentiate between people inactive in the last 90 days and people inactive for some longer period of time.

In T391634#10734428, @kostajh wrote:

I am not convinced that we should base the EmailAuth decision on user activity / inactivity. A user's level of activity doesn't help protect against credential stuffing attacks.

If you see a suspicious login from an inactive user, it's more likely to be an attack than a suspicious login from an active user.

Maybe it would make more sense as an alerting / rate limiting rule than an EmailAuth rule.

gerritbot added a comment.May 5 2025, 9:41 AM

Change #1133144 merged by jenkins-bot:

[mediawiki/extensions/WikimediaEvents@master] EmailAuth: Log privileges and recent activity

https://gerrit.wikimedia.org/r/1133144

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.28; 2025-05-06).May 5 2025, 10:00 AM
Maintenance_bot removed a project: Patch-For-Review.May 5 2025, 10:30 AM
EMill-WMF subscribed.Jun 10 2025, 4:45 PM
A_smart_kitten added a project: WikimediaCustomizations.Feb 26 2026, 3:09 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptFeb 26 2026, 3:09 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits