fyi
---------- Forwarded message ---------- From: Sage Ross ragesoss+wikipedia@gmail.com Date: 2009/7/22 Subject: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords To: wikitech-l@lists.wikimedia.org
I'm not sure what to do about this; it seems like a good idea but a major security risk:
http://www.watchlistr.com/ is a site that creates aggregate watchlists across multiple projects. See http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_w...
The user who made it has very little editing history, and the site aggregates watchlists across multiple projects, but requires inputting your Wikimedia password into the watchlistr.com site. I have no specific reason to think it's a scam, but if I was trying to phish passwords I would do something like this.
-Sage Ross (User:Ragesoss)
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Update: The developer of watchlistr is now discussing on wikitech-l how to do this on the toolserver, and how to authenticate without passwords being saved on the toolserver (which is not allowed). Further detail no doubt to come :-)
- d.
2009/7/22 David Gerard dgerard@gmail.com:
fyi
From: Sage Ross ragesoss+wikipedia@gmail.com Date: 2009/7/22 Subject: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords To: wikitech-l@lists.wikimedia.org
I'm not sure what to do about this; it seems like a good idea but a major security risk: http://www.watchlistr.com/ is a site that creates aggregate watchlists across multiple projects. See http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_w...
That's interesting.? Someone signs up with service X to pull details from your service Y that perhaps you don't want the world to know.? Like that you've watchlisted Oral Sex.
How do I, as service X make sure that you as Service Y actually have the user's approval for this pulling of my data ?
Seems like, in-project we would need some sort of user-embedded flag to say "Talk with service Y it's OK!"? That would be the only secure way to do it, wouldn't it?
Will Johnson
-----Original Message----- From: David Gerard dgerard@gmail.com To: English Wikipedia wikien-l@lists.wikimedia.org Sent: Thu, Jul 23, 2009 11:56 am Subject: Re: [WikiEN-l] [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
Update: The developer of watchlistr is now discussing on wikitech-l how to do this on the toolserver, and how to authenticate without passwords being saved on the toolserver (which is not allowed). Further detail no doubt to come :-)
- d.
2009/7/22 David Gerard dgerard@gmail.com:
fyi
From: Sage Ross ragesoss+wikipedia@gmail.com Date: 2009/7/22 Subject: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords To: wikitech-l@lists.wikimedia.org
I'm not sure what to do about this; it seems like a good idea but a major security risk: http://www.watchlistr.com/ is a site that creates aggregate watchlists across multiple projects. See http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_w...
_______________________________________________ WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: https://lists.wikimedia.org/mailman/listinfo/wikien-l