On May 16, 2012, at 12:03 PM, Daniel Friesen wrote:
JSON callbacks can be initiated by 3rd party websites.
Allowing json callbacks to act as the logged in user would allow any website on the
internet to extract information that is supposed to be private and potentially make
unauthorized write actions on the wiki.
Private wiki content could be extracted.
Yep! Still can on some browsers.
Articles could be edited in your name.
I thought
http://www.mediawiki.org/wiki/Manual:Edit_token protects against this as it is
required for an edit:
http://www.mediawiki.org/wiki/API:Edit
And up till recently it would have also been possible
to make some preferences changes that would effectively let someone take over your whole
account.
I didn't know OptionsToken is new
http://www.mediawiki.org/wiki/API:Options :-(
Cool! Learn something new about mediawiki every day.
Take care,
terry