This is indeed a problem but given that rename permissions are granted by default to bureaucrats who are most trusted users, and on small wikis typically sysadmins with shell access, this shouldn't be very dangerous. Sysadmin with shell access will be able to steal your identity anyway.
It's a problem in case of large wikis like these on wmf On Fri, Mar 8, 2013 at 2:19 AM, Ryan Lane <[email protected]> wrote: > *Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID > extension for the case that MediaWiki is used as a “provider” and the wiki > allows renaming of users. > > All previous versions of the OpenID extension used user-page URLs as > identity URLs. On wikis that use the OpenID extension as “provider” and > allows user renames, an attacker with rename privileges could rename a user > and could then create an account with the same name as the victim. This > would have allowed the attacker to steal the victim’s OpenID identity. > > Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/<id> > as the user’s identity URL, <id> being the immutable MediaWiki-internal > userid of the user. The user’s old identity URL, based on the user’s > user-page URL, will no longer be valid. > > The user’s user page can still be used as OpenID identity URL, but will > delegate to the special page. > > This is a breaking change, as it changes all user identity URLs. Providers > are urged to upgrade and notify users, or to disable user renaming. > > Respectfully, > > Ryan Lane > > https://gerrit.wikimedia.org/r/#/c/52722 > Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2* > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
