Page MenuHomePhabricator
Create Task
Maniphest T410024

ConfirmEdit hCaptcha: Verify sitekey in `siteverify` response was the sitekey given to the client as part of validating the captcha
Closed, ResolvedPublic
Actions

Description

Summary

The ConfirmEdit (CAPTCHA extension) hCaptcha captcha type verifies captchas using a call to an API named siteverify. This code should verify that the sitekey provided to the client matches the sitekey returned by the siteverify API

Background

  • hCaptcha in ConfirmEdit (CAPTCHA extension) allows varying the type of sitekey used for a given request
    • This includes varying the sitekey for an AbuseFilter consequence
  • Currently we do not enforce that the given response token sent by the client during the POST request is associated with any given sitekey
    • This means that a client could modify the JavaScript config variables to use a sitekey that has potentially less restrictions and may be easier to solve
  • To address these issues, we should ensure that the sitekey API response sitekey property is compared against the sitekey that should have been used for the request
    • If the sitekeys do not match, then we should consider that hCaptcha captcha check to have failed

Acceptance criteria

  • In HCaptcha::passCaptcha, the method should return false if the sitekey returned by the siteverify API does not match the the sitekey passed to the client

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hCaptcha: Validate sitekey of /siteverify API callmediawiki/extensions/ConfirmEditwmf/1.46.0-wmf.3+263 -7
hCaptcha: Validate sitekey of /siteverify API callmediawiki/extensions/ConfirmEditmaster+263 -7
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Nov 13 2025, 11:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 13 2025, 11:54 AM
kostajh edited projects, added Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)); removed Product Safety and Integrity.Nov 13 2025, 11:56 AM
kostajh moved this task from Backlog to Ready on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.
kostajh moved this task from Backlog to Ready on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Nov 13 2025, 10:00 PM
sguebo_WMF claimed this task.Nov 14 2025, 3:14 PM
sguebo_WMF changed the task status from Open to In Progress.Nov 15 2025, 12:49 AM
gerritbot added a comment.Nov 15 2025, 2:46 AM

Change #1205290 had a related patch set uploaded (by Samuel (WMF); author: Samuel (WMF)):

[mediawiki/extensions/ConfirmEdit@master] hcaptcha: Validate sitekey used for /siteverify API calls

https://gerrit.wikimedia.org/r/1205290

gerritbot added a project: Patch-For-Review.Nov 15 2025, 2:46 AM
kostajh moved this task from Ready to Needs review on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 17 2025, 2:05 PM
kostajh moved this task from Ready to In progress on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Nov 18 2025, 12:17 PM
gerritbot added a comment.Nov 18 2025, 4:13 PM

Change #1205290 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Validate sitekey of /siteverify API call

https://gerrit.wikimedia.org/r/1205290

gerritbot added a comment.Nov 18 2025, 4:15 PM

Change #1206906 had a related patch set uploaded (by Kosta Harlan; author: Samuel (WMF)):

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.3] hCaptcha: Validate sitekey of /siteverify API call

https://gerrit.wikimedia.org/r/1206906

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.4; 2025-11-25).Nov 18 2025, 5:00 PM
gerritbot added a comment.Nov 19 2025, 8:53 AM

Change #1206906 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.3] hCaptcha: Validate sitekey of /siteverify API call

https://gerrit.wikimedia.org/r/1206906

Stashbot added a comment.Nov 19 2025, 8:54 AM

Mentioned in SAL (#wikimedia-operations) [2025-11-19T08:54:12Z] <kharlan@deploy2002> Started scap sync-world: Backport for [[gerrit:1206906|hCaptcha: Validate sitekey of /siteverify API call (T410024)]]

Stashbot added a comment.Nov 19 2025, 8:58 AM

Mentioned in SAL (#wikimedia-operations) [2025-11-19T08:58:47Z] <kharlan@deploy2002> kharlan: Backport for [[gerrit:1206906|hCaptcha: Validate sitekey of /siteverify API call (T410024)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.3; 2025-11-19); removed MW-1.46-notes (1.46.0-wmf.4; 2025-11-25).Nov 19 2025, 9:00 AM
Stashbot added a comment.Nov 19 2025, 9:04 AM

Mentioned in SAL (#wikimedia-operations) [2025-11-19T09:04:45Z] <kharlan@deploy2002> Finished scap sync-world: Backport for [[gerrit:1206906|hCaptcha: Validate sitekey of /siteverify API call (T410024)]] (duration: 10m 32s)

Maintenance_bot removed a project: Patch-For-Review.Nov 19 2025, 9:30 AM
kostajh moved this task from In progress to QA on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Nov 19 2025, 10:33 AM
Dreamy_Jazz moved this task from Needs review to Needs QA on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 19 2025, 12:56 PM
kostajh mentioned this in T410657: hCaptcha: Improve support for SiteKey verification.Nov 20 2025, 4:11 PM
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12); removed Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)).Dec 1 2025, 9:04 AM
OKryva-WMF moved this task from Backlog to Needs QA on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.Dec 1 2025, 9:04 AM
hector.arroyo closed this task as Resolved.Dec 10 2025, 11:49 AM
hector.arroyo moved this task from Needs QA to Done on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.
hector.arroyo subscribed.

I've tested this fix by manually changing the public key in the page DOM to one I control (similar to what would be done in a real site key tampering attack), and then submitting the form: The API returns an error and the edit is not saved.

image.png (822×1 px, 295 KB)

Closing this task.

hector.arroyo moved this task from QA to Done on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Thu, Feb 5, 5:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits