On Tue, Jun 12, 2018 at 3:26 AM Nathan <nawrich(a)gmail.com> wrote:
Is the risk of an attacker taking over an account with
CSS/JS edit
permissions any more or less because that person knows how to use CSS/JS?
I tried to address this in the FAQ:
* The number of accounts which can be used to
compromise the site will be
drastically reduced. Less accounts that can serve as
attack vectors means a
smaller chance chance of an account being vulnerable when the password
database of some third-party website gets compromised. A smaller number of
accounts is also easier to monitor for suspicious logins.
* Beyond the mere numbers of accounts, it will remove
the most vulnerable
accounts as attack vectors. Users who can write CSS/JS code
probably have
better IT skills in general, and thus better password and system security
practices."
Can we make the
edit right temporary, so someone can request it
through a normal simple
process, execute their edits, and then relinquish it? It can be a right
that admins could grant to each other, as long as they can't gift it to
themselves.
We can (with some work), and we should. The various ways to make deploying
malicious javascript harder are complimentary, and we should do them all.
Separating permissions just happens to be the easiest one.
I feel most people don't appreciate how *extremely* scary the current
situation is. The public backlash around the Seigenthaler affair was
sparked by Wikipedia carelessly causing harm to a single individual. It
would be child's play compared to what would happen if a few ten thousand
people had their bank accounts cleaned, or a few dozen opposition members
arrested by the secret police, or something like that, because Wikipedians
decided security improvements were not worth the effort of moving users
from one group to another.