Page MenuHomePhabricator
Create Task
Maniphest T48292

ConfirmEdit should block IPs after a set number of failed CAPTCHA attempts
Closed, ResolvedPublic
Actions

Description

Author: carlb613

Description:
While $wgCaptchaBadLoginAttempts appears to activate CAPTCHA after a certain number of bad password attempts are made for an existing account, there needs to be some means of blocking an IP for repeatedly giving random answers to the CAPTCHA itself.

Bots routinely try to play the odds ([[bugzilla:40496]] mentions 4096 possiblities in Asirra, twelve photos with two possibilities, cat or dog, apiece - mw:Extension:VisualMathCaptcha or other simple maths problems in their default configurations are worse still as a random answer to a two-digit sum will be correct 1% of the time).

If the offending IP landed on the block list (and mw:extension:GlobalBlocking if installed) on the third failed CAPTCHA attempt, spammers would be less tempted to try to guess their way past these systems.

There needs to be a way to detect repeated failures (such as dictionary attacks) in much the same way as mw:extension:AbuseFilter can implement three-strikes rules for ongoing vandalism. ([[bugzilla:34913]] raised the issue that AbuseFilter does not have a mechanism to receive reports from other extensions for things like repeated CAPTCHA failures, so its counters can't be used directly here.)

Version: master
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=34914

Details

Reference
bz46292
SubjectRepoBranchLines +/-
Add RateLimit check for false CAPTCHAsmediawiki/extensions/ConfirmEditmaster+29 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 1:27 AM
bzimport added a project: ConfirmEdit (CAPTCHA extension).
bzimport set Reference to bz46292.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Mar 18 2013, 6:24 PM
duplicatebug added a comment.Mar 8 2014, 7:48 AM

Ratelimits can be a possible way to implemt this (Using User::pingLimiter and $wgRateLimits). Should be done on showing captcha and maybe another limit on resolving captchas? Or one limit for both, that should also be okay.

Nemo_bis added a comment.Apr 2 2014, 10:38 PM

This is probably the most important security hole in our captcha, I wouldn't call it a feature request.

duplicatebug unsubscribed.Dec 13 2014, 11:30 AM
Florian claimed this task.Jan 2 2015, 10:41 PM

I think the best is to use wgRateLimits, because it's a built in MediaWiki function and therefore is no need to add a dependency to other extensions in order to use ConfirmEdit with this function :)

gerritbot added a project: Patch-For-Review.Jan 2 2015, 10:59 PM

Change 182551 had a related patch set uploaded (by Florianschmidtwelzow):
Add RateLimit check for false CAPTCHAs

https://gerrit.wikimedia.org/r/182551

Patch-For-Review

Florian moved this task from Backlog to Awaiting Code Review on the ConfirmEdit (CAPTCHA extension) board.Jan 15 2015, 12:17 PM
gerritbot subscribed.Mar 10 2015, 12:15 AM

Change 182551 merged by jenkins-bot:
Add RateLimit check for false CAPTCHAs

https://gerrit.wikimedia.org/r/182551

tstarling mentioned this in rECOE7559502822f5: Add RateLimit check for false CAPTCHAs.Mar 10 2015, 12:15 AM
Florian added a comment.Mar 10 2015, 7:12 AM

With the above patch (merged in ConfirmEdit and will be deployed with 1.25wmf21, see https://www.mediawiki.org/wiki/MediaWiki_1.25/Roadmap for dates and status), ConfirmEdit supports ratelimiting to prevent an action after an configured amount of false CAPTCHA tries. It is deactivated by default, so if we want to enable it on wmf-wikis, we need to configure it. Should we? :)

Florian closed this task as Resolved.Mar 10 2015, 7:21 AM
Florian mentioned this in rMEXT2bf82f9628a6: Updated mediawiki/extensions Project: mediawiki/extensions/ConfirmEdit….Mar 11 2015, 6:28 AM
Nemo_bis added a comment.Mar 11 2015, 12:29 PM

It is deactivated by default, so if we want to enable it on wmf-wikis, we need to configure it. Should we? :)

Absolutely yes.

Nemo_bis added projects: Notice, MW-1.25-release.Mar 11 2015, 12:29 PM
Nemo_bis set Security to None.
Nemo_bis added a parent task: T92376: Set $wgRateLimits['badcaptcha'] to counter bots.Mar 11 2015, 12:36 PM
gpaumier edited projects, added User-notice; removed Notice.Mar 13 2015, 10:13 PM
gpaumier moved this task from To Triage to Not ready to announce on the User-notice board.
gpaumier moved this task from Not ready to announce to Already announced/Archive on the User-notice board.Apr 9 2015, 6:00 PM
Ladsgroup edited projects, added User-notice-archive; removed User-notice.Aug 13 2022, 1:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits