Page MenuHomePhabricator
Create Task
Maniphest T402595

Allow AbuseFilter CAPTCHA actions to apply to users with skipcaptcha right
Open, Needs TriagePublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):

The skipcaptcha user right is used to allow users to avoid some CAPTCHAs on Wikipedia. For example, it allows users to add external links to pages without being subjected to a CAPTCHA. Unfortunately, abuse filters currently always respect the skipcaptcha right, completely preventing abuse filters from applying a CAPTCHA action to edits and page moves. On English Wikipedia, this means there's no way for an abuse filter to CAPTCHA any edit or move from any autoconfirmed user.

It would be helpful if abuse filters could apply CAPTCHA actions even to users with the skipcaptcha right (either by removing the restriction entirely or by making it configurable per-filter).

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

Certain types of attacks that happen after an account has obtained the skipcaptcha right, especially vandalism and spam. Some specific example use cases:

  1. Many LTAs use accounts aged for several days, make several innocuous edits to game the autoconfirmed group, and then vandalize semi-protected articles.
  2. Some LTAs use accounts aged for 30+ days, rack up a very high number of automated edits in a short period of time to game the extendedconfirmed group, and then vandalize extended confirmed protected articles.
  3. Some spammers will age accounts to autoconfirmed status specifically to bypass CAPTCHA on external links.
  4. Some abusers script very fast edits after reaching autoconfirmed or extended confirmed. Abuse filters can detect high edit velocity. Since high edit velocity is not always abusive, being able to apply a CAPTCHA is a good way to slow down probable abuse without completely preventing legitimate users from making a change.

Benefits (why should this be implemented?):

We need to be able to allow abuse filters to slow down certain types of attacks that happen after an account has obtained the skipcaptcha right. We could slow down these attacks with a CAPTCHA action on an abuse filter.

Abuse filters have the benefit of being able to enforce CAPTCHA only in narrowly-defined cases (e.g., only when posting certain link patterns, or creating many pages quickly), reducing the amount of damage from certain types of bad actors that are frequently reaching autoconfirmed with their accounts while also affecting as few legitimate users as possible.

Event Timeline

DanielQ created this task.Aug 21 2025, 9:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 21 2025, 9:04 PM
codenamenoreste subscribed.Aug 21 2025, 11:44 PM
Bugreporter subscribed.Aug 22 2025, 1:45 AM

Note https://meta.wikimedia.org/wiki/CAPTCHA_exemptions exists for user that can/should not use captcha, and we may need a new user right for that user group.

L235 subscribed.Aug 22 2025, 6:37 PM

The kinds of attacks Daniel describes here are important and AbuseFilter is one of the best tools the community has available. The community has come to deploy AbuseFilter quite responsibly and thoughtfully, and it makes sense to me to allow the community to decide whether a particular filter should present a captcha at what level of edits, rather than having a blanket rule that autoconfirmed users can't be captcha'd by AbuseFilter.

Nemoralis subscribed.Oct 21 2025, 6:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits