On 8/14/07, Brion Vibber <brion(a)wikimedia.org> wrote:
This minimizes the risk of someone else milling your
accounts for
information by making an account which would get merged in due to disuse
or matching e-mail address.
Ah. I didn't realize that we'd join across accounts using
non-confirmed email data.
This creates an obscure and hard to exploit but fun hole:
Step 1. Pick a prominent non-admin on enwiki who is also not an admin
anywhere else.
Step 2. Email them something friendly in order to determine their email address.
Step 3. Create an account on an obsecure wikimedia wiki where
obtaining adminship is trivial. Set your email address to theirs,
don't confirm.
Step 4. Make some edits edits on the small wiki and become an admin.
You now have prefered status for standing as the master account.
Step 5. Merge accounts and enjoy your new enwiki account.
;)
To counter this we need to add a check to not merge across accounts
from one without a confirmed email address. I.e. if and only if you
have both the password and the account has a confirmed email should
you be able to merge to accounts with the same email (confirmed or
not) unless you have the password.