On 8/14/07, Thomas Dalton thomas.dalton@gmail.com wrote:
I'd create the takover account and not set its password to the matching one before minutes of Merging them.
[ed: email address was intended there instead of password]
Exactly right. A non-confirmed email address shouldn't be used for anything, at all, since without confirmation, it's just a random string. If you really want to use unconfirmed email addresses, then give control of accounts with unconfirmed addresses to accounts with confirmed addresses, but definitely not the other way around, that is a major loophole.
Major might be a bit of an overstatement. The attacker still needs to win the home wiki election. Otherwise the lack of a matching password locks them out, as Kat discovered upthread.
Against an account with a sizable history the most obvious and probably easy way to win the election is to become an admin with that name when they are not an admin anywhere... This is what I did for my test (I had Brion sysop a virtual sock of my bot account on test).
Brion's right about the email, but the attacker could just change it at the last moment. It takes a while for people to check their mail.
I'm sure if anyone actually pulled this off we'd just correct it and life would go on... but it would be nice to avoid it. Asking for a password in order to cross an email linkage from an unconfirmed side would be simple enough.
Alternatively, SUL could push people who are unconfirmed at their home wiki to confirm. ... This would be wise because once the dust is settled on SUL the issue of mandatory confirmed email for upload on commons is going to be raised again. Last time it appeared to have a reasonable level of support, but was put off until SUL was done to further inconveniencing users from the Wikipedias.