Page MenuHomePhabricator
Create Task
Maniphest T396230

CVE-2025-6593: "{{SITENAME}} registered email address has been changed" email sent to unverified email addresses
Closed, ResolvedPublicSecurity
Actions

Description

Found by @AAlhazwani-WMF:

  1. Ada creates an account, and provides Bob’s email during registration
    1. Bob receives the “Welcome” email
      1. Bob ignores the email
  2. Ada changes their (Bob’s) email in Special:Preferences
    1. Bob receives the “Wikipedia registered email address has been changed” email to their email address. This email includes Ada's IP address, username, and personal email [1]
    2. Ada receives the “Welcome” email to the their email address
  1. A should not happen. It discloses Ada's IP to Bob, and is probably needlessly scary for Bob the way it is phrased.

This bug was introduced 9 years ago (1.27.0) in User.php: Update 'setEmailWithConfirmation' for notification email for T31856: Email notification to old address when verified email address is changed or removed. Notice how the task talks about verified emil addresses, but the change does not introduce a check for that.

Details

Risk Rating
Medium
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: fix IP leak to unverified emailmediawiki/coremaster+2 -2
SECURITY: fix IP leak to unverified emailmediawiki/coreREL1_42+2 -2
SECURITY: fix IP leak to unverified emailmediawiki/coreREL1_43+2 -2
SECURITY: fix IP leak to unverified emailmediawiki/coreREL1_44+2 -2
SECURITY: fix IP leak to unverified emailmediawiki/coreREL1_39+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Michael created this task.Jun 6 2025, 3:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2025, 3:06 PM
Michael added projects: Growth-Team (Current Sprint), MediaWiki-Email, Trust and Safety Product Team.Jun 6 2025, 3:10 PM
Michael added subscribers: KStoller-WMF, Urbanecm_WMF, Sgs, EMill-WMF.

I'm adding a bunch of people from my team, and also TSP for visibility. I'll upload a change shortly, this should thankfully be easy to fix. But I'll be off next week, so someone else has to shepard it to production.

Michael added a comment.Jun 6 2025, 3:33 PM

This should work as expected. However, I'm not actually able to test it locally on my machine because I do not have emailing set up locally (yet). This should be kept in mind when reviewing:

T396230.patch1 KBDownload

Michael moved this task from Incoming to Code Review on the Growth-Team (Current Sprint) board.Jun 6 2025, 3:34 PM
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.EditedJun 6 2025, 3:52 PM
sbassett added projects: SecTeam-Processed, Vuln-Infoleak.
sbassett subscribed.
In T396230#10891432, @Michael wrote:

This should work as expected. However, I'm not actually able to test it locally on my machine because I do not have emailing set up locally (yet). This should be kept in mind when reviewing:

T396230.patch1 KBDownload

CR+1, we should be able to get this deployed during this Monday's security window. Would be nice (but not essential IMO) to get another set of eyes on this for review before then.

Mstyles subscribed.Jun 9 2025, 10:36 PM
In T396230#10891525, @sbassett wrote:
In T396230#10891432, @Michael wrote:

This should work as expected. However, I'm not actually able to test it locally on my machine because I do not have emailing set up locally (yet). This should be kept in mind when reviewing:

T396230.patch1 KBDownload

CR+1, we should be able to get this deployed during this Monday's security window. Would be nice (but not essential IMO) to get another set of eyes on this for review before then.

Deployed

sbassett assigned this task to Michael.Jun 9 2025, 10:42 PM
sbassett added a parent task: Restricted Task.
Restricted Application added a project: User-Michael. · View Herald TranscriptJun 9 2025, 10:43 PM
Sgs moved this task from Code Review to QA on the Growth-Team (Current Sprint) board.Jun 10 2025, 11:32 AM
sbassett changed the task status from Open to In Progress.Jun 10 2025, 6:59 PM
sbassett triaged this task as Low priority.
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.
Michael added a subscriber: Etonkovidova.Jun 16 2025, 10:35 AM

I'm not fully sure how to best QA this, but adding @Etonkovidova because it is in our QA column now.

Etonkovidova closed this task as Resolved.Jun 17 2025, 1:58 AM
In T396230#10917683, @Michael wrote:

I'm not fully sure how to best QA this, but adding @Etonkovidova because it is in our QA column now.

Thank you @Michael! The issue described in the task description has been fixed - checked on testwiki wmf.5, i.e. if an email address was not verified, and that yet-to-be-verified email address was changed again in the Preferences, no notification would be sent to the old unverified email.

Michael reopened this task as Open.Jun 23 2025, 8:26 AM
Michael moved this task from QA to Blocked / Needs Work on the Growth-Team (Current Sprint) board.

Reopening, because I think this task still needs to be made public, and the change needs to be added to the GrowthExperiments master branch. That being said, I'm not sure what the process is in this case. Should we wait until the change is included in any security releases?

In T396230#10921084, @Etonkovidova wrote:
In T396230#10917683, @Michael wrote:

I'm not fully sure how to best QA this, but adding @Etonkovidova because it is in our QA column now.

Thank you @Michael! The issue described in the task description has been fixed - checked on testwiki wmf.5, i.e. if an email address was not verified, and that yet-to-be-verified email address was changed again in the Preferences, no notification would be sent to the old unverified email.

Thank you for verifying! 🙏

Urbanecm_WMF moved this task from Watching to Incoming on the Security-Team board.Jun 23 2025, 10:44 AM
In T396230#10937397, @Michael wrote:

Reopening, because I think this task still needs to be made public, and the change needs to be added to the GrowthExperiments master branch. That being said, I'm not sure what the process is in this case. Should we wait until the change is included in any security releases?

Since it is a Core patch, it needs to be included in a security release before the task can be made public. I'm boldly moving this to Incoming on Security Team's workboard, as I'd expect the next process to be driven by that team (if there is anything Growth can help with, please let us know). For now, I can see this task is listed in the tracking task for the next security release (T389303), so hopefully that means it would be included when the time comes.

Urbanecm_WMF edited projects, added Growth-Team; removed Growth-Team (Current Sprint).Jun 23 2025, 10:45 AM

No longer something we work on actively (please let us know if the Growth-Team is expected to take an action here). Moving to Tracking.

Urbanecm_WMF moved this task from Inbox to Tracking on the Growth-Team board.Jun 23 2025, 10:45 AM
Michael added a comment.Jun 23 2025, 12:04 PM
In T396230#10937822, @Urbanecm_WMF wrote:
In T396230#10937397, @Michael wrote:

Reopening, because I think this task still needs to be made public, and the change needs to be added to the GrowthExperiments master branch. That being said, I'm not sure what the process is in this case. Should we wait until the change is included in any security releases?

Since it is a Core patch, it needs to be included in a security release before the task can be made public. I'm boldly moving this to Incoming on Security Team's workboard, as I'd expect the next process to be driven by that team (if there is anything Growth can help with, please let us know). For now, I can see this task is listed in the tracking task for the next security release (T389303), so hopefully that means it would be included when the time comes.

Ah right, thanks! I had already forgotten again what this was about in detail.

sbassett added a comment.Jun 23 2025, 3:05 PM
In T396230#10937822, @Urbanecm_WMF wrote:

Since it is a Core patch, it needs to be included in a security release before the task can be made public. I'm boldly moving this to Incoming on Security Team's workboard, as I'd expect the next process to be driven by that team (if there is anything Growth can help with, please let us know). For now, I can see this task is listed in the tracking task for the next security release (T389303), so hopefully that means it would be included when the time comes.

Yep, that should be coming out in a week or two, so if we can hold off until then, that would be ideal.

sbassett moved this task from Incoming to Watching on the Security-Team board.Jun 23 2025, 4:24 PM
Reedy added a subscriber: GerritBot.Jun 24 2025, 8:12 PM
Reedy closed this task as Resolved.Jun 24 2025, 8:27 PM
Reedy added projects: MW-1.43-release, MW-1.44-release, MW-1.42-release, MW-1.39-release.Jun 24 2025, 9:48 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy renamed this task from "{{SITENAME}} registered email address has been changed" email sent to unverified email addresses to CVE-2025-6593: "{{SITENAME}} registered email address has been changed" email sent to unverified email addresses.Jun 24 2025, 11:27 PM
Reedy edited subscribers, added: gerritbot; removed: GerritBot.Jun 30 2025, 1:44 PM
gerritbot added a comment.Jun 30 2025, 6:04 PM

Change #1165073 had a related patch set uploaded (by Reedy; author: Michael Große):

[mediawiki/core@REL1_43] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165073

gerritbot added a project: Patch-For-Review.Jun 30 2025, 6:04 PM
gerritbot added a comment.Jun 30 2025, 6:20 PM

Change #1165086 had a related patch set uploaded (by Reedy; author: Michael Große):

[mediawiki/core@REL1_39] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165086

gerritbot added a comment.Jun 30 2025, 6:32 PM

Change #1165099 had a related patch set uploaded (by Reedy; author: Michael Große):

[mediawiki/core@REL1_44] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165099

gerritbot added a comment.Jun 30 2025, 6:42 PM

Change #1165086 merged by jenkins-bot:

[mediawiki/core@REL1_39] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165086

gerritbot added a comment.Jun 30 2025, 7:03 PM

Change #1165114 had a related patch set uploaded (by Reedy; author: Michael Große):

[mediawiki/core@master] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165114

gerritbot added a comment.Jun 30 2025, 7:29 PM

Change #1165133 had a related patch set uploaded (by Reedy; author: Michael Große):

[mediawiki/core@REL1_42] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165133

gerritbot added a comment.Jun 30 2025, 7:29 PM

Change #1165099 merged by jenkins-bot:

[mediawiki/core@REL1_44] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165099

gerritbot added a comment.Jun 30 2025, 7:35 PM

Change #1165073 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165073

gerritbot added a comment.Jun 30 2025, 7:50 PM

Change #1165114 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165114

gerritbot added a comment.Jun 30 2025, 8:13 PM

Change #1165133 merged by jenkins-bot:

[mediawiki/core@REL1_42] SECURITY: fix IP leak to unverified email

https://gerrit.wikimedia.org/r/1165133

sbassett removed a project: Patch-For-Review.Jul 8 2025, 8:34 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jul 8 2025, 9:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits