This is indeed a problem but given that rename permissions are granted
by default to bureaucrats who are most trusted users, and on small
wikis typically sysadmins with shell access, this shouldn't be very
dangerous. Sysadmin with shell access will be able to steal your
It's a problem in case of large wikis like these on wmf
On Fri, Mar 8, 2013 at 2:19 AM, Ryan Lane <rlane32(a)gmail.com> wrote:
*Marc-Andre Pelletier discovered a vulnerability in
the MediaWiki OpenID
extension for the case that MediaWiki is used as a “provider” and the wiki
allows renaming of users.
All previous versions of the OpenID extension used user-page URLs as
identity URLs. On wikis that use the OpenID extension as “provider” and
allows user renames, an attacker with rename privileges could rename a user
and could then create an account with the same name as the victim. This
would have allowed the attacker to steal the victim’s OpenID identity.
Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/<id>
as the user’s identity URL, <id> being the immutable MediaWiki-internal
userid of the user. The user’s old identity URL, based on the user’s
user-page URL, will no longer be valid.
The user’s user page can still be used as OpenID identity URL, but will
delegate to the special page.
This is a breaking change, as it changes all user identity URLs. Providers
are urged to upgrade and notify users, or to disable user renaming.
Wikitech-l mailing list