https://bugzilla.wikimedia.org/show_bug.cgi?id=19161
Web browser: ---
Summary: Auto account creation creates privacy vulnerability
Product: MediaWiki extensions
Version: any
Platform: All
URL: http://otrs-
wiki.wikimedia.org/wiki/User:Church_of_emacs/mw_critical
_bug
OS/Version: All
Status: NEW
Severity: critical
Priority: Normal
Component: CentralAuth
AssignedTo: [email protected]
ReportedBy: [email protected]
The exact scenario is described in the non-public OTRS wiki:
http://otrs-wiki.wikimedia.org/wiki/User:Church_of_emacs/mw_critical_bug
I remember having a discussion with Tim Starling and Brion Vibber when
Wikimedia began to automatically create accounts on normal GET-requests. Tim
and I had some concerns, while Brion rightfully said that the information of
user:abc visiting a Wikipedia version on a specific date was a minor privacy
concern. However, in the scenario (see URL) it seemed like this feature could
lead to much more private information leaking.
Therefore I propose to disable automatic account creation on GET-requests and
instead use only POST-requests to create accounts.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
