Page MenuHomePhabricator
Create Task
Maniphest T419336

CentralAuth lock bypass on usernames that have md5 collisions
Closed, ResolvedPublicSecurity
Actions

Description

CentralAuth caches CentralAuthUser objects based on the md5 of the username. This can be a security risk because when you log in, MediaWiki can be convinced to log you in on one account, while checking the global account details (locked status, password, etc) of the other. Thus a vandal might be able to register two accounts, and as long as one of them stays unlocked they can still log in to the other one even after it is locked (however local blocks cannot be bypassed).

I experimented, and was able to get this to work on patch demo: This edit https://6484352b88.catalyst.wmcloud.org/w/index.php?title=Main_Page&diff=prev&oldid=143 was made by an account that was locked at the time.

Steps to reproduce

  • Create two accounts that collide. You can use a tool like hashclash to generate them. If you need a pair for testing you can use TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak and TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak
    • As far as i am aware, ascii chosen prefix collisions (i.e. Where the two account names start with different text) are not yet viable for md5, but they would be ideal for an attacker to not be suspicious. As long as you are ok with the same prefix, the attacker does have a fair amount of control over the text of the collision, although at least part of it is going to look fairly random. When using off the shelf scripts, either the 21st, 85th, or 149th letter will have a difference of 4.
  • Vandalize with the first one, get locked by steward
  • Wait 24 hours or do something to flush cache (e.g. change password, email on second account)
  • Do something to make second account loaded into cache (Special:CentralAuth is useful for this)
  • Log in using username of first account but password of second
  • Continue to make edits, they are attributed to first account name
  • people try and lock it but they can't because they already locked it. Vandal continues vandalilizing forever (or until locally blocked)

From an attacker's perspective, the main limitation of course is having two weirdly named accounts with identical prefixes is going to be suspicious, and when one is locked stewards will likely notice the other. Nonetheless this seems like something that could cause a lot of confusion.

It also might result in some special pages returning incorrect results about the user. Special:CentralAuth is a good test bed because it uses the cached results on a GET but the DB results on a POST.

Suggested fix: Stop using md5 in CentralAuthUser::getCacheKey. md5 is always a bad choice. SHA-256 is almost the same speed due to cpus having special instructions. If you really care about speed use blake3 instead. If you extra care about speed and don't care about security i guess you can use murmur. If you're worried about length of hash you can truncate sha256. There is basically no valid reason to use md5 ever.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use sha256 instead of md5 to generate user cache keymediawiki/extensions/CentralAuthmaster+1 -1
Use sha256 instead of md5 to generate user cache keymediawiki/extensions/CentralAuthREL1_43+1 -1
Use sha256 instead of md5 to generate user cache keymediawiki/extensions/CentralAuthREL1_44+1 -1
Use sha256 instead of md5 to generate user cache keymediawiki/extensions/CentralAuthREL1_45+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Bawolff created this task.Mar 8 2026, 8:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 8 2026, 8:36 AM
Bawolff added a project: MediaWiki-extensions-CentralAuth.Mar 8 2026, 8:36 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 8 2026, 8:36 AM
RhinosF1 subscribed.Mar 8 2026, 8:50 AM
Johannnes89 subscribed.Mar 8 2026, 9:55 AM
Zabe subscribed.Mar 8 2026, 11:53 AM
Zabe added a comment.Mar 8 2026, 12:11 PM

Changing to xxh3 does not hurt, but I also do not really think that this imposes a big risk, so I would assume it is fine to just push this through gerrit. But will leave that decision to the security team.

0001-SECURITY-Use-xxh3-instead-of-md5-to-generate-user-ca.patch926 BDownload

Tgr subscribed.Mar 8 2026, 1:09 PM

Anything truly dangerous (colliding with a specific, non-attacker-controlled account) would require a preimage attack, which is not feasible against md5. So +1 to doing this via gerrit.

Bawolff added a comment.Mar 8 2026, 4:39 PM
In T419336#11685413, @Zabe wrote:

Changing to xxh3 does not hurt, but I also do not really think that this imposes a big risk, so I would assume it is fine to just push this through gerrit. But will leave that decision to the security team.

0001-SECURITY-Use-xxh3-instead-of-md5-to-generate-user-ca.patch926 BDownload

I dont think xxh3 is an appropriate choice here

Bawolff updated the task description. (Show Details)Mar 8 2026, 4:42 PM
Tgr added a comment.Mar 9 2026, 12:15 PM

Yeah the xxh family are usually described as non-cryptographic hashes.

If you really care about speed use blake3 instead.

There's no native support for blake3 in PHP.

I think sha256 should be fine? There's in-process caching so it will only be called 1-2 times per request.

We could also just always double-check the username after loading, and not care about the hash, but that seems more effort.

Tgr added subscribers: OWresch-WMF, JTweed-WMF.Mar 9 2026, 4:02 PM
sbassett edited projects, added: SecTeam-Processed, Vuln-CryptoFailures; removed: Security-Team.Mar 9 2026, 5:57 PM
sbassett subscribed.
In T419336#11685445, @Tgr wrote:

Anything truly dangerous (colliding with a specific, non-attacker-controlled account) would require a preimage attack, which is not feasible against md5. So +1 to doing this via gerrit.

Agreed, making this task public as a code-hardening effort.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.Mar 9 2026, 5:57 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Pskyechology subscribed.Mar 9 2026, 6:23 PM
SomeRandomDeveloper subscribed.Mar 9 2026, 6:48 PM
JTweed-WMF edited projects, added: MediaWiki-Platform-Team (Kanban Board); removed: MediaWiki-Platform-Team.Mar 23 2026, 3:53 PM
A_smart_kitten subscribed.Mar 27 2026, 10:39 AM
matmarex added a subscriber: DAlangi_WMF.Apr 8 2026, 1:14 PM
matmarex moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Kanban Board) board.Apr 14 2026, 8:39 PM
gerritbot added a comment.Apr 17 2026, 6:21 PM

Change #1273907 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@master] Use sha256 instead of md5 to generate user cache key

https://gerrit.wikimedia.org/r/1273907

gerritbot added a project: Patch-For-Review.Apr 17 2026, 6:21 PM
matmarex claimed this task.Apr 17 2026, 6:21 PM
Bugreporter2 awarded a token.Apr 18 2026, 3:04 PM
gerritbot added a comment.Apr 27 2026, 11:26 PM

Change #1273907 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Use sha256 instead of md5 to generate user cache key

https://gerrit.wikimedia.org/r/1273907

Maintenance_bot removed a project: Patch-For-Review.Apr 27 2026, 11:31 PM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.26; 2026-04-28).Apr 28 2026, 12:01 AM
matmarex closed this task as Resolved.Apr 28 2026, 1:57 PM
gerritbot added a comment.Apr 28 2026, 9:43 PM

Change #1278635 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@REL1_43] Use sha256 instead of md5 to generate user cache key

https://gerrit.wikimedia.org/r/1278635

gerritbot added a project: Patch-For-Review.Apr 28 2026, 9:43 PM

Change #1278636 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@REL1_44] Use sha256 instead of md5 to generate user cache key

https://gerrit.wikimedia.org/r/1278636

gerritbot added a comment.Apr 28 2026, 9:44 PM

Change #1278637 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@REL1_45] Use sha256 instead of md5 to generate user cache key

https://gerrit.wikimedia.org/r/1278637

gerritbot added a comment.Apr 28 2026, 9:56 PM

Change #1278637 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_45] Use sha256 instead of md5 to generate user cache key

https://gerrit.wikimedia.org/r/1278637

gerritbot added a comment.Apr 28 2026, 9:56 PM

Change #1278636 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_44] Use sha256 instead of md5 to generate user cache key

https://gerrit.wikimedia.org/r/1278636

gerritbot added a comment.Apr 28 2026, 9:57 PM

Change #1278635 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_43] Use sha256 instead of md5 to generate user cache key

https://gerrit.wikimedia.org/r/1278635

Maintenance_bot removed a project: Patch-For-Review.Apr 28 2026, 10:31 PM
matmarex mentioned this in T424935: CentralAuth: Locked accounts can keep editing after lock is made.May 1 2026, 9:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits