On 8/14/07, Thomas Dalton <thomas.dalton(a)gmail.com> wrote:
> I'd create the takover account and not set
its password to the matching
> one before minutes of Merging them.
[ed: email address was intended there
instead of password]
Exactly right. A non-confirmed email address shouldn't be used for
anything, at all, since without confirmation, it's just a random
string. If you really want to use unconfirmed email addresses, then
give control of accounts with unconfirmed addresses to accounts with
confirmed addresses, but definitely not the other way around, that is
a major loophole.
Major might be a bit of an overstatement. The attacker still needs to
win the home wiki election. Otherwise the lack of a matching password
locks them out, as Kat discovered upthread.
Against an account with a sizable history the most obvious and
probably easy way to win the election is to become an admin with that
name when they are not an admin anywhere... This is what I did for my
test (I had Brion sysop a virtual sock of my bot account on test).
Brion's right about the email, but the attacker could just change it
at the last moment. It takes a while for people to check their mail.
I'm sure if anyone actually pulled this off we'd just correct it and
life would go on... but it would be nice to avoid it. Asking for a
password in order to cross an email linkage from an unconfirmed side
would be simple enough.
Alternatively, SUL could push people who are unconfirmed at their home
wiki to confirm. ... This would be wise because once the dust is
settled on SUL the issue of mandatory confirmed email for upload on
commons is going to be raised again. Last time it appeared to have a
reasonable level of support, but was put off until SUL was done to
further inconveniencing users from the Wikipedias.