Multiple failed attempts to log in to Wikimedia Commons as ErfgoedBot
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Multichill
	Oct 13 2025, 8:51 PM

Description

There have been 110 failed attempts to log in to your account since the last time you logged in. If it wasn't you, please make sure your account has a strong password.

From logstash:
Login failed for normal ErfgoedBot from 172.16.0.87 - check_emailable_users (commons:commons; User:ErfgoedBot) Pywikibot/6.6.2 (-1 (unknown)) requests/2.20.1 Python/3.9.2.final.0 - :::::v4: User "ErfgoedBot" does not have a bot password named "ErfgoedBot@ErfgoedBot-Toolforge".

Not sure what is going on here. I do see some edits at https://commons.wikimedia.org/wiki/Special:Contributions/ErfgoedBot today

Details

Author Affiliation: Wikimedia Communities

Related Objects

Mentioned In: T409003: Update heritage (ErfgoedBot) to Pywikibot 10.7.0 and python3.13
T409000: Restore missing heritage (ErfgoedBot) jobs (check-emailable-users & categorize-images)
Mentioned Here: T409000: Restore missing heritage (ErfgoedBot) jobs (check-emailable-users & categorize-images)
T395205: Do not exempt bots from EmailAuth checks on Wikimedia wikis

Event Timeline

Multichill created this task.Oct 13 2025, 8:51 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2025, 8:51 PM

Multichill added subscribers: JeanFred, Lokal_Profil.Oct 13 2025, 8:51 PM

Able to login as the bot and https://commons.wikimedia.org/wiki/Special:BotPasswords/ErfgoedBot-Toolforge is configured

Find reqId in Logstash

Aklapper added a project: MediaWiki-extensions-CentralAuth.Oct 14 2025, 9:28 AM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptOct 14 2025, 9:28 AM

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Oct 14 2025, 5:10 PM

Are you concerned that someone logged into the bot account without your permission? You said you were able to log into the bot account

Tired of the email spam:

There have been 1,755 failed attempts to log in to your account since the last time you logged in. If it wasn't you, please make sure your account has a strong password.

Disabled all jobs until this is sorted out. No edits since the 13th anyway.

Perhaps this should be public to give it more eyes. Afaict this is about account security but not a "security" bug (ie not a security vuln) and there is no private data here.

Bawolff added a project: MediaWiki-extensions-LoginNotify.Oct 19 2025, 9:40 PM

Restricted Application added a project: Community-Tech. · View Herald TranscriptOct 19 2025, 9:40 PM

In T407159#11273538, @Mstyles wrote:

Are you concerned that someone logged into the bot account without your permission? You said you were able to log into the bot account

That's what I thought at first. After I looked at the logs, it looks like a broken bot

In T407159#11288176, @Bawolff wrote:

Perhaps this should be public to give it more eyes. Afaict this is about account security but not a "security" bug (ie not a security vuln) and there is no private data here.

Agree

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 19 2025, 10:00 PM

Bawolff changed the edit policy from "Custom Policy" to "All Users".

In T407159#11269636, @Multichill wrote:

Able to login as the bot and https://commons.wikimedia.org/wiki/Special:BotPasswords/ErfgoedBot-Toolforge is configured

Could you provide the link from Special:OAuthListConsumers? I.e. something like Special:OAuthListConsumers/view/[hash]. When searching there I was unable to find any OAuth applications with the name ErfgoedBot-Toolforge or variants of it, nor did I find any that were published by Multichill.

• MusikAnimal removed a project: Community-Tech.Oct 20 2025, 12:27 AM

In T407159#11288246, @MusikAnimal wrote:

In T407159#11269636, @Multichill wrote:

Able to login as the bot and https://commons.wikimedia.org/wiki/Special:BotPasswords/ErfgoedBot-Toolforge is configured

Could you provide the link from Special:OAuthListConsumers? I.e. something like Special:OAuthListConsumers/view/[hash]. When searching there I was unable to find any OAuth applications with the name ErfgoedBot-Toolforge or variants of it, nor did I find any that were published by Multichill.

Based on the previous description this bot isn't oauth based.

Any further information on what's going on? Is this a bot that used to work but now doesn't, and you think this login error is to blame? Or it stopped working earlier and the login error happened on top of that?

User "ErfgoedBot" does not have a bot password named "ErfgoedBot@ErfgoedBot-Toolforge"

sounds like an issue at the DB (or DB configuration) level although I can't really imagine how that would happen.

Logstash says this started on the 12th (a Sunday).

Krinkle assigned this task to pmiazga.Oct 20 2025, 2:52 PM

Krinkle moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.

Generated a new bot password ErfgoedBot@ErfgoedBot-Toolforge2025 . Fired up the bot and getting this error:

WARNING: No user is logged in on site commons:commons
WARNING: /data/project/heritage/.venv/lib/python3.9/site-packages/pywikibot/login.py:351: _PasswordFileWarning: The BotPassword entry should only include the suffix
  warn('The BotPassword entry should only include the suffix',

Logging in to commons:commons as ErfgoedBot@ErfgoedBot@ErfgoedBot-Toolforge2025
WARNING: API warning (main): Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes. Use [[Special:ApiFeatureUsage]] to see usage of deprecated features by your application.
WARNING: API warning (login): Fetching a token via "action=login" is deprecated. Use "action=query&meta=tokens&type=login" instead.
ERROR: Received incorrect login token. Forcing re-login.
ERROR: Login failed (Failed).
WARNING: Could not save page [[commons:Commons:Monuments database/Unknown fields/monuments se-arbetsl (sv)]] (Updating the list of unknown fields with 0 entries)

Looking at https://github.com/wikimedia/labs-tools-heritage/blob/master/requirements.txt#L14 we seem to running an ancient version (6.6.2) of Pywikibot. According to https://pywikibot.toolforge.org/ , current stable is 10.7.0

Did a fresh pywikibot install from git

WARNING: <string>:1: _PasswordFileWarning: The BotPassword entry should only include the suffix

The file contained:

('ErfgoedBot', BotPassword('ErfgoedBot@ErfgoedBot-Toolforge2025', 'xxx'))

In the log I see:

Login failed for normal ErfgoedBot@ErfgoedBot@ErfgoedBot-Toolforge2025 from ...

Changed it to:

('ErfgoedBot', BotPassword('ErfgoedBot-Toolforge2025', 'xxx'))

Now it works:

Logging in to wikipedia:nl as ErfgoedBot@ErfgoedBot-Toolforge2025
Logged in on wikipedia:nl as ErfgoedBot.

And in the log:

Login succeeded for normal ErfgoedBot from 172.16.2.61 - login (wikipedia:nl; User:ErfgoedBot) Pywikibot/10.7.0 (g1) requests/2.32.5 Python/3.13.5.final.0

I checked my local account (BotMultichill) and it has the same configuration. I also had the long name in the configuration. It's been like that since BotPasswords have been introduced.
I'm able to login at first, but after a bit of fiddling I'm able to get the same error. After I trim the config, it logs in properly. My guess is that the BotPassword never actually worked and that an old session was still valid. In T395205 it's mentioned that a session is valid up to a year.

If that's true, we shouldn't be able to find a login event for "ErfgoedBot" (and BotMultchill for that matter) between 2025-06-08 (T395205) and when this issue started.

That fixed it: https://commons.wikimedia.org/w/index.php?title=Commons:Monuments_database/Unknown_fields/monuments_ro_(ro)&diff=prev&oldid=1107965421

Multichill closed this task as Resolved.Nov 2 2025, 3:16 PM

Multichill added projects: Pywikibot, Wiki-Loves-Monuments-Database.

Restricted Application added a subscriber: pywikibot-bugs-list. · View Herald TranscriptNov 2 2025, 3:16 PM

Multichill mentioned this in T409000: Restore missing heritage (ErfgoedBot) jobs (check-emailable-users & categorize-images).Nov 2 2025, 3:23 PM

Mentioned in SAL (#wikimedia-cloud) [2025-11-02T15:23:59Z] <wmbot~multichill@tools-bastion-14> T407159 login issue fixed, depolyed update-monuments. Created T409000 for missing jobs

Multichill mentioned this in T409003: Update heritage (ErfgoedBot) to Pywikibot 10.7.0 and python3.13.Nov 2 2025, 3:36 PM

JJMC89 reassigned this task from pmiazga to Multichill.Nov 2 2025, 4:52 PM

JJMC89 removed projects: Pywikibot, MediaWiki-extensions-LoginNotify, MediaWiki-extensions-CentralAuth.

JJMC89 edited subscribers, added: pmiazga; removed: pywikibot-bugs-list.

In T407159#11333573, @Multichill wrote:

In T395205 it's mentioned that a session is valid up to a year.

Sessions are valid forever. (More precisely, sessions expire in a day but authentication cookies are valid forever as long as you obtained them with the "keep me logged in" option, and will silently create a new session if needed.) Authentication cookies expire in a year, but that's a client-side limit and bots don't necessarily honor it.