https://bugzilla.wikimedia.org/show_bug.cgi?id=69596
Rainer Rillke @commons.wikimedia <ril...@wikipedia.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ril...@wikipedia.de
--- Comment #2 from Rainer Rillke @commons.wikimedia <ril...@wikipedia.de> ---
(In reply to Michael M. from comment #1)
naak naak naak, again such a security nonsense; the same as in Bug 48931 --
either we trust user scripts and this is what we currently do (see below) or we
don't and they must be completely removed.
1) Do you store passwords in your browser for Commons? Firefox? Please log out
and go to
https://commons.wikimedia.org/w/index.php?title=Help:Gadget-Cat-a-lot&withJS=MediaWiki:ActivateGadget.js&gadgetname=Cat-a-lot
-- see your password will be pre-filled and my evil script could read it.
Scary, isn't it :~)
2) Malicious scripts could, at any time create a fake login form like "We are
sorry, but your session expired. Please log in again ... blah blah Password:
[_______]". We are not actively telling users that they should only use
[[Special:UserLogin]] for security reasons and never enter their password on a
different page.
3) There is an API module for login and it's not only useful to bots. The
security claims are void, let's move forward.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
