This is indeed a problem but given that rename permissions are granted by default to bureaucrats who are most trusted users, and on small wikis typically sysadmins with shell access, this shouldn't be very dangerous. Sysadmin with shell access will be able to steal your identity anyway.
It's a problem in case of large wikis like these on wmf
On Fri, Mar 8, 2013 at 2:19 AM, Ryan Lane rlane32@gmail.com wrote:
*Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID extension for the case that MediaWiki is used as a “provider” and the wiki allows renaming of users.
All previous versions of the OpenID extension used user-page URLs as identity URLs. On wikis that use the OpenID extension as “provider” and allows user renames, an attacker with rename privileges could rename a user and could then create an account with the same name as the victim. This would have allowed the attacker to steal the victim’s OpenID identity.
Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/<id> as the user’s identity URL, <id> being the immutable MediaWiki-internal userid of the user. The user’s old identity URL, based on the user’s user-page URL, will no longer be valid.
The user’s user page can still be used as OpenID identity URL, but will delegate to the special page.
This is a breaking change, as it changes all user identity URLs. Providers are urged to upgrade and notify users, or to disable user renaming.
Respectfully,
Ryan Lane
https://gerrit.wikimedia.org/r/#/c/52722 Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2* _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l