Brion Vibber wrote:
Gregory Maxwell wrote:
> On 8/14/07, Brion Vibber wrote:
>> This minimizes the risk of someone else milling your accounts for
>> information by making an account which would get merged in due to disuse
>> or matching e-mail address.
> Ah. I didn't realize that we'd join across accounts using
> non-confirmed email data.
I thought we did this.
You can reset the password if the email is set to your
e-mail address.
Thus any account that matches the email will be given to you if you are
confirmed (by password) to own the master account.
Once merged, the first thing to do would be change the email on the
account taken over :-)
This creates
an obscure and hard to exploit but fun hole:
Step 1. Pick a prominent non-admin on enwiki who is also not an admin
anywhere else.
Step 2. Email them something friendly in order to determine their email address.
Step 3. Create an account on an obsecure wikimedia wiki where
obtaining adminship is trivial. Set your email address to theirs,
don't confirm.
You don't have a choice about confirmation -- when you set the e-mail
address it'll send a confirmation email automatically. Thus they're
alerted, and the jig, as they say, is up. :)
Then what?
It alerts of the action, but you can't stop it. The confirmation message
says:
Someone, probably you from IP address X.Y.Z, has registered an
account "YourName" with this e-mail address on Wikipedia.
To confirm that this account really does belong to you and activate
e-mail features on Wikipedia, open this link in your browser:
http://test.wikipedia.org/wiki/Special:Confirmemail/baddeefbaddeefbaddeefba…
If this is *not* you, don't follow the link. This confirmation code
will expire at XXX
So, there's no option to "refuse" the email connection. The receiver may
think, "oh, somebody registered an account with my name at the wikipedia
in strange language" but not matter more about it (note he's relating
the warning to the username, not with their email).
If he checks the contributions will see a user with good editions. If
username clashes are as common as Anthony says, he won't think it again
(until he loses his account).
He would need to be a paranoic, knowing this vulnerability running to
warn a steward or takeover it. And still he'll need to sleep.
I'd create the takover account and not set its password to the matching
one before minutes of Merging them.