Userinfo API call creates account in all wikis where user is active
Open, Needs TriagePublicBUG REPORT
Actions

Assigned To

None

Authored By

	putnik
	Sep 22 2025, 7:55 AM

Description

Steps to replicate the issue (include links if applicable):

Open contribution of some user who is active in many projects, e.g. https://ru.wikipedia.org/w/index.php?title=User:Lvova&action=history
Click on the icon next to the user name to open UserInfo pop-up
https://ru.wikipedia.org/w/rest.php/checkuser/v0/userinfo API will be called
Most likely, you will get a timeout error after some time because the request is too heavy
You can try to open it again until it finally works
Open your SUL info, e.g. https://meta.wikimedia.org/wiki/Special:CentralAuth/Putnik
Order the list by the "Attached on" column
There will be a lot of new accounts

What happens?:
A request to https://ru.wikipedia.org/w/rest.php/checkuser/v0/userinfo created local accounts in wikis you never visited, but the requested person has accounts in.

What should have happened instead?:
No new local accounts should be created.

Related Objects

Mentioned In: T405890: Reenable external permission check in UserInfoCard after the issues are fixed
T405889: Disable external permissions check in UserInfoCard
Mentioned Here: T385752: Using special globalcontributions is causing clients to attach to other projects triggering autocreated accounts (especially mlwiki)

Event Timeline

putnik created this task.Sep 22 2025, 7:55 AM

Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptSep 22 2025, 7:55 AM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

This has the same underlying issue as T385752#10780513. I don't see a good solution for how to address this.

In T405194#11200362, @kostajh wrote:

This has the same underlying issue as T385752#10780513. I don't see a good solution for how to address this.

We could use CentralAuth to validate that a user has an account on that wiki before making the API call? If they don't have an account, then we could assume they lack the rights to see anything on that wiki?

Dreamy_Jazz moved this task from Inbox to Blocked/Stalled on the Trust and Safety Product Team board.Sep 24 2025, 9:20 PM

Dreamy_Jazz moved this task from Blocked/Stalled to Engineering on the Trust and Safety Product Team board.

This is quite annoying and confusing indeed, in particular the welcome bots spam that follows. I probably would have thought twice before enabling this tool/keeping it active, had there been some sort of warning about this side effect.

Dreamy_Jazz mentioned this in T405889: Disable external permissions check in UserInfoCard.Sep 29 2025, 9:37 AM

mszwarc mentioned this in T405890: Reenable external permission check in UserInfoCard after the issues are fixed.Sep 29 2025, 9:42 AM

Dreamy_Jazz added a project: Essential-Work.Oct 7 2025, 1:29 PM

OKryva-WMF edited projects, added Product Safety and Integrity; removed Trust and Safety Product Team.Oct 10 2025, 9:52 AM

OKryva-WMF moved this task from Inbox to Later sprints on the Product Safety and Integrity board.Oct 10 2025, 9:52 AM

Userinfo API call creates account in all wikis where user is activeOpen, Needs TriagePublicBUG REPORTActions

Description

Related Objects

Event Timeline

Userinfo API call creates account in all wikis where user is active
Open, Needs TriagePublicBUG REPORT
Actions