Per https://github.com/miraheze/mw-config/blob/master/LocalSettings.php#L417, all logins are being prompted with an external login auth.
Less knowledgeable users may enter their login information which will be sent away from miraheze to an external provider who can in theory decrypt the information. (The implementation is likely not secure as the whole layer isn’t securely designed.)
Publicly disclosed already, and extremely easy to find.
| Unknown Object (Diffusion Commit) |
For security reasons it may be better to disable this feature for all domains not in staff control.
There isn’t a feature to enable/disable. It’s upstream domain stuff which is why the domain has been removed.
@Reception123 fyi you shouldn't have moved this to S2 but changed the policy to allow only Security+me (because I made this task and I could have looked into this way way earlier).
Why was this change reverted? This auto-login vector is a security vulnerability (since the custom domains are not under our control) and DoS vector (one auto-login generates more than 250 web requests in just a few seconds. It's impossible to handle those with just 12 virtual cores!).
What's to be done here?
For checking if the domain is being loaded from Miraheze fleet - We're doing stuff like T3062: Crackdown for DNS repo: expired/no longer pointing us and T3063: Crackdown for SSL/mediawiki-config repo: DNS entry no longer points us. Automating would be more 'actionable', though.
We need to get this to work by not auto logging into the wiki's, but we carn't seem to get it working.