*Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID extension for the case that MediaWiki is used as a “provider” and the wiki allows renaming of users.
All previous versions of the OpenID extension used user-page URLs as identity URLs. On wikis that use the OpenID extension as “provider” and allows user renames, an attacker with rename privileges could rename a user and could then create an account with the same name as the victim. This would have allowed the attacker to steal the victim’s OpenID identity.
Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/<id> as the user’s identity URL, <id> being the immutable MediaWiki-internal userid of the user. The user’s old identity URL, based on the user’s user-page URL, will no longer be valid.
The user’s user page can still be used as OpenID identity URL, but will delegate to the special page.
This is a breaking change, as it changes all user identity URLs. Providers are urged to upgrade and notify users, or to disable user renaming.
Respectfully,
Ryan Lane
https://gerrit.wikimedia.org/r/#/c/52722 Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2*
This is indeed a problem but given that rename permissions are granted by default to bureaucrats who are most trusted users, and on small wikis typically sysadmins with shell access, this shouldn't be very dangerous. Sysadmin with shell access will be able to steal your identity anyway.
It's a problem in case of large wikis like these on wmf
On Fri, Mar 8, 2013 at 2:19 AM, Ryan Lane rlane32@gmail.com wrote:
*Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID extension for the case that MediaWiki is used as a “provider” and the wiki allows renaming of users.
All previous versions of the OpenID extension used user-page URLs as identity URLs. On wikis that use the OpenID extension as “provider” and allows user renames, an attacker with rename privileges could rename a user and could then create an account with the same name as the victim. This would have allowed the attacker to steal the victim’s OpenID identity.
Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/<id> as the user’s identity URL, <id> being the immutable MediaWiki-internal userid of the user. The user’s old identity URL, based on the user’s user-page URL, will no longer be valid.
The user’s user page can still be used as OpenID identity URL, but will delegate to the special page.
This is a breaking change, as it changes all user identity URLs. Providers are urged to upgrade and notify users, or to disable user renaming.
Respectfully,
Ryan Lane
https://gerrit.wikimedia.org/r/#/c/52722 Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2* _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, Mar 8, 2013 at 1:07 AM, Yuvi Panda yuvipanda@gmail.com wrote:
Was this the last blocker to getting the extension deployed?
On wikitech the blockers were the switch of the wiki name (from labsconsole to wikitech) and this. There's still some issues that need to be worked out for deployment on the main projects. Also, it needs a full review before deployment to the projects, and we need to work out how this will affect the OAuth plans. We have a kickoff meeting for this coming up soon. I'll send updates when that occurs.
For deployment on wikitech I think I'd like to wait for a full security review, so it may be a little while.
- Ryan
On Sat, Mar 9, 2013 at 3:49 AM, Ryan Lane rlane32@gmail.com wrote:
On wikitech the blockers were the switch of the wiki name (from labsconsole to wikitech) and this. There's still some issues that need to be worked out for deployment on the main projects. Also, it needs a full review before deployment to the projects, and we need to work out how this will affect the OAuth plans. We have a kickoff meeting for this coming up soon. I'll send updates when that occurs.
Did anything come out of the Kickoff Meeting?
-- Yuvi Panda T http://yuvi.in/blog
On Sun, Jun 2, 2013 at 11:30 AM, Yuvi Panda yuvipanda@gmail.com wrote:
On Sat, Mar 9, 2013 at 3:49 AM, Ryan Lane rlane32@gmail.com wrote:
On wikitech the blockers were the switch of the wiki name (from labsconsole to wikitech) and this. There's still some issues that need to be worked out for deployment on the main projects. Also, it needs a full review before deployment to the projects, and we need to work out how this will affect the OAuth plans. We have a kickoff meeting for this coming up soon. I'll send updates when that occurs.
Did anything come out of the Kickoff Meeting?
For OpenID, the plan coming out of the meetings is: * As part of the current Auth Sprint, I'll be doing a full review of OpenID with the goal of getting it deployed on the WMF cluster * We are planning to make login.wikimedai.org an OpenID provider to other WMF projects at some point in the near future
If you have any specific questions, feel free to ping me on or off list.
On Tue, Jun 4, 2013 at 12:13 AM, Chris Steipp csteipp@wikimedia.org wrote:
For OpenID, the plan coming out of the meetings is:
- As part of the current Auth Sprint, I'll be doing a full review of
OpenID with the goal of getting it deployed on the WMF cluster
Wonderful! Can you tell me the timeline of 'current auth sprint'?
- We are planning to make login.wikimedai.org an OpenID provider to
other WMF projects at some point in the near future
Super-wonderful :) Again, a rough timeline?
Looking forward to being able to use My Wikimedia Identity elsewhere :)
-- Yuvi Panda T http://yuvi.in/blog
On Mon, Jun 3, 2013 at 11:52 AM, Yuvi Panda yuvipanda@gmail.com wrote:
On Tue, Jun 4, 2013 at 12:13 AM, Chris Steipp csteipp@wikimedia.org wrote:
For OpenID, the plan coming out of the meetings is:
- As part of the current Auth Sprint, I'll be doing a full review of
OpenID with the goal of getting it deployed on the WMF cluster
Wonderful! Can you tell me the timeline of 'current auth sprint'?
We are trying to finish the items in scope (SUL rework, OAuth, and a review of the OpenID extension) by the end of this month.
- We are planning to make login.wikimedai.org an OpenID provider to
other WMF projects at some point in the near future
Super-wonderful :) Again, a rough timeline?
Looking forward to being able to use My Wikimedia Identity elsewhere :)
-- Yuvi Panda T http://yuvi.in/blog
On 03/08/2013 01:34 AM, Petr Bena wrote:
this shouldn't be very dangerous
Even if it isn't in practice in the typical cases, it exposes a third party to a risk they are unable to assess if they use that OpenID. (And it doesn't require a 'crat going rogue even here -- renames are sometimes done without salting the former username and an unrelated third party could create an account to reuse the username and then probe plausible consumers of the ID).
-- Marc
wikitech-l@lists.wikimedia.org