*Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID extension for the case that MediaWiki is used as a “provider” and the wiki allows renaming of users.
All previous versions of the OpenID extension used user-page URLs as identity URLs. On wikis that use the OpenID extension as “provider” and allows user renames, an attacker with rename privileges could rename a user and could then create an account with the same name as the victim. This would have allowed the attacker to steal the victim’s OpenID identity. Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/<id> as the user’s identity URL, <id> being the immutable MediaWiki-internal userid of the user. The user’s old identity URL, based on the user’s user-page URL, will no longer be valid. The user’s user page can still be used as OpenID identity URL, but will delegate to the special page. This is a breaking change, as it changes all user identity URLs. Providers are urged to upgrade and notify users, or to disable user renaming. Respectfully, Ryan Lane https://gerrit.wikimedia.org/r/#/c/52722 Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2* _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
