In T158153#3032207, @Tgr wrote:In scenario 2, the probabilities are exclusive and you can just add them together so the attacker's chance of success is 1E-6 * 1E4 = 0.01, exactly the same. (Actually very slightly larger but the difference starts at the fifth digit after the decimal point.)
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Aug 17 2022
Aug 17 2022
Jul 10 2020
Jul 10 2020
Ammarpad awarded T48148: Allow hiding of non-discussion comments in Gerrit a Like token.
kostajh awarded T48148: Allow hiding of non-discussion comments in Gerrit a 100 token.
Jdforrester-WMF awarded T48148: Allow hiding of non-discussion comments in Gerrit a Party Time token.
Jul 9 2020
Jul 9 2020
QChris awarded T48148: Allow hiding of non-discussion comments in Gerrit a Yellow Medal token.
xSavitar awarded T48148: Allow hiding of non-discussion comments in Gerrit a Like token.
Jul 8 2020
Jul 8 2020
Krinkle awarded T48148: Allow hiding of non-discussion comments in Gerrit a Orange Medal token.
Mar 27 2020
Mar 27 2020
Astinson awarded T158604: Investigate usefulness of SameSite cookies for logged-in accounts a Like token.
Dec 25 2019
Dec 25 2019
Bawolff awarded T158604: Investigate usefulness of SameSite cookies for logged-in accounts a Love token.
Nov 11 2018
Nov 11 2018
Liuxinyu970226 awarded T100373: WebAuthn (U2F) integration for Extension:OATHAuth a Like token.
Nov 5 2018
Nov 5 2018
Oct 2 2018
Oct 2 2018
Jun 9 2018
Jun 9 2018
Tgr awarded T48148: Allow hiding of non-discussion comments in Gerrit a Love token.
May 19 2018
May 19 2018
Feb 20 2017
Feb 20 2017
Feb 16 2017
Feb 16 2017
In T158153#3031406, @Tgr wrote:An attacker can already launch a year-long attack on the normal (non-scratch) tokens. That they change periodically does not protect against that at all.
Feb 15 2017
Feb 15 2017
In T158153#3031153, @Tgr wrote:Whether the number to hit changes every once in a while or not makes no difference whatsoever when you are guessing randomly. For a small number of guesses that's a negligible difference.
In T158153#3030873, @Tgr wrote:In T158153#3030807, @Parent5446 wrote:Note that the scratch tokens operate under a different attack scenario than TOTP codes, and thus they cannot be the same format.
The task description already explains why that difference is negligible (a factor or of two at most).
Note that the scratch tokens operate under a different attack scenario than TOTP codes, and thus they cannot be the same format.
Feb 9 2017
Feb 9 2017
Jan 2 2017
Jan 2 2017
In T5311#2626174, @Sumit wrote:@Parent5446 this task has been assigned to you. Do you plan on working on this or mentoring this for the upcoming Outreachy-13 round?
Jan 1 2017
Jan 1 2017
Liuxinyu970226 awarded T5311: Automatic category redirects a Like token.
Dec 26 2016
Dec 26 2016
Dec 19 2016
Dec 19 2016
Parent5446 added a comment to T153691: Strengthen two factor authentication by making it concurrent instead of sequential during the authentication process.
In T153691#2887943, @Bawolff wrote:This of course is equivalent to exposing whether or not the user has OATH enabled, since an attacker could just use a dummy password and then see if they get an OATH prompt.
Parent5446 added a comment to T153691: Strengthen two factor authentication by making it concurrent instead of sequential during the authentication process.
Note that this was achieved in https://gerrit.wikimedia.org/r/280672, so maybe this is more a bug with AuthManager than it is this extension?
Dec 13 2016
Dec 13 2016
In T152926#2869441, @Legoktm wrote:Also, does this task need to be private? Anyone can look up channel modes.
Nov 17 2016
Nov 17 2016
Parent5446 added a comment to T150947: Allow users enabling OATH to create a cryptographic scheme (committed identity) for identification and account recovery.
I'm tempted to decline this, but maybe others feel differently.
Nov 14 2016
Nov 14 2016
In T145915#2792021, @Volans wrote:My 2 cents:
- for the recovery tokens (scratch_tokens) hashing vs encryption depends on the UI, if the user should be able to view them again after the first generation or not.
Nov 13 2016
Nov 13 2016
Parent5446 moved T150564: Improve/Clarify OATHAuth messages from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.
Parent5446 moved T150587: 2FA recovery codes go on to 2 pages when printed. from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.
Nov 12 2016
Nov 12 2016
Parent5446 added a comment to T55192: Merge Extension:TwoFactorAuthentication into Extension:OATHAuth.
It should be just that. I filed a bug for every difference between the two at the time.
Parent5446 added a parent task for T100373: WebAuthn (U2F) integration for Extension:OATHAuth: T150565: Support physical OATH/OTP devices.
Oct 12 2016
Oct 12 2016
Parent5446 updated subscribers of T131788: Users should be notified when only two recovery codes are left.
In T131788#2707987, @bd808 wrote:Should there also be a way to generate a new set of recovery tokens, or is the "fix" for that to disable and then re-enable OATH?
Parent5446 added a comment to T147901: Add variable to represent group of wikis, rather than using $wgDBname.
Is there some sense of a global site group name in CentralAuth? If there isn't then we should just have a config variable for this extension, rather than forcing the string "Wikimedia".
Oct 4 2016
Oct 4 2016
I'd remove it. I really do not remember why I added it, and if I added it because of people accidentally blocking themselves...well that was a stupid reason. If people want to block themselves, maybe it's for the best anyway.
Sep 21 2016
Sep 21 2016
Jdforrester-WMF awarded T5233: Send a cookie with each block a Like token.
Sep 17 2016
Sep 17 2016
They really should be hashed :)
Aug 13 2016
Aug 13 2016
Jun 22 2016
Jun 22 2016
Jun 3 2016
Jun 3 2016
Parent5446 moved T136988: QR code displayed inconsistently from Backlog to Need for Deployment on the MediaWiki-extensions-OATHAuth board.
Parent5446 moved T124445: Design research support for two step authentication from In Progress to User Experience on the MediaWiki-extensions-OATHAuth board.
Parent5446 moved T100375: Improve user experience of Two-Factor process from In Progress to User Experience on the MediaWiki-extensions-OATHAuth board.
Is there a scenario in which this can be reproduced? Or is it seemingly random?
May 27 2016
May 27 2016
I will check it out, although there's a strong possibility this was another bug caused by the lack of URI encoding. I will investigate and report back here.
May 26 2016
May 26 2016
Parent5446 added a comment to T136350: Move two-factor auth data (TOTP seed) from labswiki database to LDAP.
I've lost track of exactly what features AuthManager supports, but does it allow storing of arbitrary user authentication metadata? Because then once Extension:OATHAuth is converted to use AuthManager, we can just have the authentication provider store and fetch the secret from the generic backend interface.
May 24 2016
May 24 2016
May 2 2016
May 2 2016
Qgil awarded T132017: Throttle for newsletter announcements a Love token.
Apr 19 2016
Apr 19 2016
Qgil awarded T132019: Add table prefix to sub-queries in NewsletterTablePager a Yellow Medal token.
Apr 10 2016
Apr 10 2016
Apr 7 2016
Apr 7 2016
Parent5446 added subtasks for T115095: Security review of Newsletter extension: T132016: Add CheckUser integration to Extension:Newsletter, T132017: Throttle for newsletter announcements, T132018: Add newsletter description to log messages, T132019: Add table prefix to sub-queries in NewsletterTablePager, T132022: Add AbuseFilter integration to Extension:Newsletter.
Parent5446 added a parent task for T132017: Throttle for newsletter announcements: T115095: Security review of Newsletter extension.
Parent5446 added a parent task for T132018: Add newsletter description to log messages: T115095: Security review of Newsletter extension.
I am going to make separate tasks for some of the feedback.
Apr 4 2016
Apr 4 2016
Parent5446 added a comment to T131789: Survey how other web properties using 2FA handle account reset.
- Google: They allow login if you have one of any two-factors available (i.e., they support SMS and phone call as alternatives to TOTP). Additionally, when logging in with 2FA, Google allows you to mark a computer as "trusted". You can use a trusted computer that is still logged in to disable 2FA. Otherwise, you need to file an account recovery form, which Google responds to manually after a few business days. Things they ask on the form (I presume they have a further protocol beyond submission of the form, probably involving submission of government ID):
- The date you created your account and the date you last accessed it (required)
- Your security question, if enabled (optional, even if the question is enabled)
- Up to five email addresses you frequently contact and up to five Gmail labels you created (optional)
- Your first recovery email address (optional)
- Other Google products you use and approximately when you started using them (optional)
- An explanation of how you lost access to your account
- Contact information for sending the password reset
- Facebook: Submission of a government ID, or (strangely) you can take a picture of yourself holding a code that Facebook gives you.
- GitHub, Apple, and Dropbox: Does not offer account recovery at all. You either need a phone with SMS for backup, or another backup token of some sort. If you lose all of your 2FA, you have lost access to your account permanently.
- LastPass: They allow removal of 2FA from the account by just sending a confirmation email to the primary account email. If you lost access to your primary email, I am not sure what options are available.
- Amazon Web Services: You have to file a support ticket to remove 2FA, after which they call you on the phone and ask for some trivial verification information (such as your credit card number on file).
Apr 3 2016
Apr 3 2016
In T15303#2175293, @Galorefitz wrote:In T15303#2173978, @Parent5446 wrote:
- Have a single i18n message in plain text and then convert the message to HTML when needed. (This is the method @Galorefitz describes in T130490).
@Parent5446 I actually proposed the second method in my proposal, not the first, i.e.,
Qgil awarded T110552: Implement logging in Newsletter a Love token.
As a quick note for both this task in general and for @rosalieper and @Galorefitz, we spoke with @siebrand yesterday, and asked him about the two approaches for this task, i.e.:
Apr 2 2016
Apr 2 2016
In T131616#2173123, @ori wrote:To reduce the attack surface. If it's not limited you could just create a million of them and ruin the feature for everybody by making Special:Newsletters time out.
Weird, I don't remember claiming this in Phabricator. Although I can work on it if @01tonythomas wants.
The only interesting question about this is: what about users who are added as publishers to other newsletters by other people? Do we block a user from being added as a publisher when they reach the limit, or do we only block the creation of new newsletters?
Parent5446 moved T131616: Cap the number of active newsletters per user from Backlog to Feature complete on the MediaWiki-extensions-Newsletter board.
Yep I believe so, unless there are other logging actions we wanted implemented.
Apr 1 2016
Apr 1 2016
Literally the only place that error message is used is in the AbortChangePassword hook...
@Reedy Just so I know all the details, were you logged in already? And I presume your account has 2FA enabled on it?
@Reedy I cannot seem to reproduce this locally. Could you provide some reproduction steps? I've tried visiting Special:Userrights and other restricted pages while logged in and it did not bother me. All other functionality seemed to be working as expected.
Feb 24 2016
Feb 24 2016
Parent5446 added a comment to T128017: Outreachy Proposal for T1503: Implement HTML e-mail support in MediaWiki.
Jan 9 2016
Jan 9 2016
Making public since the main bug this is a duplicate of is already public.
Parent5446 updated subscribers of T42998: https://wikipedia.com and similar throw certificate warning.
For some reason "wikipedia.com", and probably any other redirect domains the WMF owns, are not alt names on the certificate.
I have confirmed this in Chrome and Firefox. No warnings in Safari.
Jan 7 2016
Jan 7 2016
I think this bug can probably be closed since the technical requirements have been fulfilled. However, I still think we should actually apply a specific strong policy to accounts.
Nov 19 2015
Nov 19 2015
Dalba awarded T5233: Send a cookie with each block a Mountain of Wealth token.
Nov 7 2015
Nov 7 2015
Parent5446 updated subscribers of T117686: Select participants for Outreachy round 11 by 2015-11-11.
@01tonythomas Just want to clarify. Should we as the mentors be rating these projects right now in the Outreachy application? And if so do we need to alter the Contribution status as well?
Oct 28 2015
Oct 28 2015
I do not think @VitaliyFilippov's patches and the Outreachy project are mutually exclusive. First, I want to echo @Aklapper and just say thanks to @VitaliyFilippov. Patches are always welcome, and save us a bit of work!
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits