I was wrong... Just lets you attach your account to the homewiki global account, but the global account still gets the homewiki's password. So the attacker still doesn't have access to the global account.
Combined with bug 70469, this lets the owner of the homewiki take over an account they don't own, but that's less serious.
Created attachment 16497
Check home wiki password before merge - 1.24 wmf22
Rebased on top of gerrit 158578.
After this is public, I'll make all those bool flags an options array.