Page MenuHomePhabricator

EducationProgram: IP attribution incorrect in a page history and causes privacy leak
Closed, ResolvedPublic

Description

This is the page in question:
https://en.wikipedia.org/w/index.php?title=Education_Program:Consumer_Reports/Wikipedia_Volunteer_Corps_Course_(winter_2015)&action=history

The third edit to the page was vandalism by an IP address. However, the page history shows the IP address of the person/account reading the page and not the IP that made the edit. The IP that apparently made the edit has zero contributions: https://en.wikipedia.org/wiki/Special:Contributions/72.68.239.80

Edit The IP's contributions are showing up now in Special:Contributions at least, but the bug still lives.

I think this is a problem.

Event Timeline

Keegan created this task.Mar 3 2015, 6:11 PM
Keegan raised the priority of this task from to Needs Triage.
Keegan updated the task description. (Show Details)
Keegan added a project: MediaWiki-General.
Keegan added a subscriber: Keegan.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 3 2015, 6:11 PM
Harej added a subscriber: Harej.EditedMar 3 2015, 6:17 PM

I see 152.179.58.30, which is the IP address I am currently using. http://geoiplookup.wikimedia.org/ verifies this:

{
"city": "Washington",
"country": "US",
"lat": [redacted],
"lon": [redacted],
"IP": "152.179.58.30"
}

(Yes, I live in Washington, DC.)

Krenair added a subscriber: Krenair.Mar 3 2015, 9:45 PM
This comment was removed by chasemp.
MZMcBride triaged this task as High priority.Mar 4 2015, 4:55 AM
MZMcBride added a subscriber: MZMcBride.
Keegan updated the task description. (Show Details)Mar 4 2015, 4:58 AM
Keegan updated the task description. (Show Details)Mar 4 2015, 9:27 PM
Jalexander renamed this task from IP attribution incorrect in a page history to EducationProgram: IP attribution incorrect in a page history and causes privacy leak.Mar 4 2015, 10:48 PM
Jalexander changed Security from None to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptMar 4 2015, 10:48 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: Security. · View Herald Transcript

Pulling this private after talking to Michelle because, while it's now redacted (but still in the history), the database info reveals a users IP (this is also a problem on wiki that I'm attempting to deal with). I adjusted the title since this bug seems to be the cause of that issue as well which is, indeed a privacy policy problem.

It was not my intent to drop any current subscribers (you should all be able to view the bug still) If you can't let me know and I'll go about trying to fix that. [I'm also ok with making the bug public if we can delete the history of the comment in question but I don't think that's possible in Phabricator].

Seems pretty similar to T68624.

It was not my intent to drop any current subscribers (you should all be able to view the bug still) If you can't let me know and I'll go about trying to fix that. [I'm also ok with making the bug public if we can delete the history of the comment in question but I don't think that's possible in Phabricator].

@chasemp can do that for you.

Thanks Chase, below is the redacted version of the comment so that it can still be used (originally from @Krenair).

MariaDB [enwiki_p]> select course_id, course_title from ep_courses where course_title like '%Consumer Reports%';
+-----------+-----------------------------------------------------------------+
| course_id | course_title                                                    |
+-----------+-----------------------------------------------------------------+
|       531 | Consumer Reports/Wikipedia Volunteer Corps Course (winter 2015) |
+-----------+-----------------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [enwiki_p]> select rev_id, rev_time, rev_user_id, rev_user_text, rev_comment from ep_revisions where rev_object_id = 531 order by rev_time desc;
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
| rev_id | rev_time       | rev_user_id | rev_user_text | rev_comment                                                     |
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
|   2561 | 20150303165749 |     7830073 | Bluerasberry  | Undo revision made on 18:05, 27 February 2015 by [redacted] |
|   2539 | 20150227180530 |           0 | 72.68.239.80  | this course promotes vandalismm                                 |
|   2430 | 20150207155213 |      319203 | Ragesoss      | add dashboard link                                              |
|   2173 | 20150107153632 |     7830073 | Bluerasberry  |                                                                 |
+--------+----------------+-------------+---------------+-----------------------------------------------------------------+
4 rows in set (0.01 sec)
Jalexander changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 4 2015, 11:38 PM
Jalexander changed the edit policy from "Custom Policy" to "All Users".
Jalexander changed Security from Software security bug to None.

Moved back to public (though kept Security as a project on for now because it's still a privacy related bug).

rev_deleted = 10 would not work (guess EducationProgram does not check that?), so we set rev_comment = '[comment redacted by [[m:System administrators|sysadmin]], ref phabricator T91416]'

chasemp removed a subscriber: chasemp.Mar 4 2015, 11:55 PM

Change 194448 had a related patch set uploaded (by Alex Monk):
Load anonymous users by name

https://gerrit.wikimedia.org/r/194448

Barras added a subscriber: Barras.Mar 5 2015, 11:41 AM
Elitre added a subscriber: Elitre.Mar 5 2015, 1:21 PM

Change 194448 merged by jenkins-bot:
Load anonymous users by name

https://gerrit.wikimedia.org/r/194448

Keegan closed this task as Resolved.Mar 24 2015, 4:32 AM
Keegan claimed this task.
Krenair claimed this task.Mar 24 2015, 4:50 AM
csteipp edited projects, added Privacy; removed Vuln-Infoleak.