as [[User:formulax]] mentioned in http://mail.wikipedia.org/pipermail/wikipedia-l/2004-September/017409.html
The guy called [[User:Yaohua2000]] today upload a text file, in which contains passwords of some users, to threaten us. we deleted the file immediately. but the situation seems very dangerous for us now, one can steal the password of our users.
The flood vandalism in Zh: serveral months ago was took by [[User:Yaohua2000]]. This guy seems to be very clever but very evil also.
yuanml wrote:
as [[User:formulax]] mentioned in http://mail.wikipedia.org/pipermail/wikipedia-l/2004-September/017409.html
The guy called [[User:Yaohua2000]] today upload a text file, in which contains passwords of some users, to threaten us. we deleted the file immediately. but the situation seems very dangerous for us now, one can steal the password of our users.
The flood vandalism in Zh: serveral months ago was took by [[User:Yaohua2000]]. This guy seems to be very clever but very evil also.
There was really never any need to send out password hashes in cookies. I made a quick patch to send out randomly generated tokens instead, which have no relationship to the password.
Domas Mituzas wrote:
That user discovered the bug and reported it in #mediawiki. The best solution would be serve downloads from a separate domain, so project cookies would not affect.
There are stacks of methods which allow attackers to obtain cookies, we discover them and fix them all the time. It's best if we minimise the consequences.
-- Tim Starling
wikitech-l@lists.wikimedia.org