Page MenuHomePhabricator
Create Task
Maniphest T391902

I was logged in despite a 2FA error
Closed, DuplicatePublic
Actions

Description

I have been getting randomly logged out (see T387061) which is annoying but not a security issue per se.

Minutes ago, I refreshed a previously logged in tab on fawiki (my last edit on fawiki was at 14:09 UTC and time now is 21:55 UTC) and I found myself to be logged out again. So, I started logging in. Since I am a CU on fawiki, I have to enter a 2FA token when I log in. Either I entered the wrong token, or MediaWiki incorrectly deemed as an "expired" token, because when I entered it and pressed submit, the page showed me a red warning box indicating the token is invalid or has expired. Below it was NOT a place to enter the 2fA token again though (as is typically the case when you enter an invalid token). Instead, below it was simply a blue button for getting "centrally logged in". Thankfully, I was able to go back in my browser and take a screenshot.

The issue: pressing on that button logged me in successfully even though I apparently had entered an invalid 2FA token.

image.png (776×714 px, 65 KB)

Additional clues: The red message is centralauth-error-badtoken and the blue button is centralauth-non-login-wiki-buttonlabel.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

Huji created this task.Apr 14 2025, 9:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 14 2025, 9:58 PM
Huji added a project: Security.Apr 14 2025, 9:59 PM
Huji changed the subtype of this task from "Task" to "Bug Report".
Huji added projects: MediaWiki-extensions-CentralAuth, MediaWiki-extensions-OATHAuth.
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptApr 14 2025, 10:00 PM
Huji updated the task description. (Show Details)Apr 14 2025, 10:01 PM
Huji updated the task description. (Show Details)
matmarex subscribed.Apr 14 2025, 11:25 PM

Logs mentioning your username in the relevant time frame: https://logstash.wikimedia.org/goto/1d891346190d4c750ec8b7e89803a0c9

One of the entries is OATHAuth user Huji entered a valid OTP, so most likely this was some kind of bug with the redirection after login (maybe T390784), combined with our surprising autologin behavior, and not a security issue.

We'll have a closer look, but I'm writing this just to reassure you :)

Huji added a comment.Apr 15 2025, 3:11 AM

Thanks. Definitely reassuring.

Tgr subscribed.Apr 17 2025, 5:44 PM

centralauth-error-badtoken (if you see it on the local wiki) typically means that the login was successful but something went wrong with the redirect back to the local wiki afterwards. So yeah I think this is just a duplicate of T390784: Error when logging-in on auth.wikimedia.org: "The provided authentication token is either expired or invalid.".

Huji added a comment.Apr 18 2025, 1:19 AM

Thanks for your followed up. I would argue that the phrase "The provided authentication token is either expired or invalid." does not mean "something went wrong with the redirect back to the local wiki" and so a separate message should be created and displayed in such circumstances.

And I have no issue with merging this with T390784 and/or with making this task public, if you deem appropriate.

Tgr added a comment.Apr 20 2025, 10:30 AM

The error is about an expired token that's used during authentication so technically the message is true, but you are right that "authentication token" sounds like it's about your password or 2FA token, when it's actually about an internal token, so the message could use improvement.

Tgr closed this task as a duplicate of T390784: Error when logging-in on auth.wikimedia.org: "The provided authentication token is either expired or invalid.".Apr 20 2025, 10:30 AM
Tgr added a subscriber: sbassett.

@sbassett this task can be made public.

Tgr mentioned this in T390784: Error when logging-in on auth.wikimedia.org: "The provided authentication token is either expired or invalid.".Apr 20 2025, 10:32 AM
sbassett assigned this task to Tgr.Apr 21 2025, 2:58 PM
sbassett triaged this task as Low priority.
sbassett removed a project: WMF-NDA.
sbassett changed the subtype of this task from "Bug Report" to "Security Issue".
sbassett changed Author Affiliation from N/A to Wikimedia Communities.Apr 21 2025, 3:00 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett changed the subtype of this task from "Security Issue" to "Task".
sbassett added a project: SecTeam-Processed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits