On 8/14/07, Brion Vibber brion@wikimedia.org wrote:
This minimizes the risk of someone else milling your accounts for information by making an account which would get merged in due to disuse or matching e-mail address.
Ah. I didn't realize that we'd join across accounts using non-confirmed email data.
This creates an obscure and hard to exploit but fun hole:
Step 1. Pick a prominent non-admin on enwiki who is also not an admin anywhere else.
Step 2. Email them something friendly in order to determine their email address.
Step 3. Create an account on an obsecure wikimedia wiki where obtaining adminship is trivial. Set your email address to theirs, don't confirm.
Step 4. Make some edits edits on the small wiki and become an admin. You now have prefered status for standing as the master account.
Step 5. Merge accounts and enjoy your new enwiki account.
;)
To counter this we need to add a check to not merge across accounts from one without a confirmed email address. I.e. if and only if you have both the password and the account has a confirmed email should you be able to merge to accounts with the same email (confirmed or not) unless you have the password.