Page MenuHomeMiraheze

Social Profile allows admins to change other user's email addresses
Closed, ResolvedPublic


This means that the editothersprofiles right must be removed from all wikis currently, and removed from default permissions.

Event Timeline

As a followup to this task, we're thinking of modifying modifyGroupPermission.php so that it can remove a permission from all groups that contain it. This would make it easier to strip the right, as currently there are still wikis that have it. Hence was done as a temporary measure.

You’d have to make a maint script to do and it’s easier to make a maintenance script loop all groups then modify a single purpose function to do the job.

IMHO the maint script is the solution.

Southparkfan raised the priority of this task from High to Unbreak Now!.EditedJan 24 2019, 11:59

Confirmed so far: this right was assigned to the 'sysop' group on all wikis with this extension enabled (as of this moment 86 wikis) since February 8, 2017.

I have searched through all access log files on the cache proxies to see if Special:EditProfile was accessed. There was one hit (P173) and it does look like the email address of this user was changed..?

Query to fetch all log entries (not sure how to find out *IF* email address was changed) where target user does not equal actor:

select log_title,actor_name from logging inner join user on logging.log_title = user.user_name inner join actor on logging.log_actor = actor.actor_id where log_type = 'profile' and log_title <> actor_name;

Reults: P174

If it helps, I discovered this by accidentally stripping the email from two or three spambot accounts on allthetropeswiki.

The issue has been identified and fixed and a list of affected wikis has been generated by @Paladox.

Notices must go out today, that is our top priority now. @John since you worked on that for our August 2018 Security Disclosure, could you assist this time as well?

Also the dutch authorities will have to be told too.

Notices have been put on Meta, Facebook and Twitter. Emails have been sent out as necessary.

This seems done, time to make this task public?

Already public anyway.

John changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 28 2019, 20:33
John changed the edit policy from "Custom Policy" to "All Users".