Page MenuHomeMiraheze
Create Task
Maniphest T4046

Social Profile allows admins to change other user's email addresses
Closed, ResolvedPublic
Actions

Description

This means that the editothersprofiles right must be removed from all wikis currently, and removed from default permissions.

Related Objects

Event Timeline

Void created this task.Jan 24 2019, 03:36
Herald added subscribers: Southparkfan, Reception123. · View Herald TranscriptJan 24 2019, 03:36
Void assigned this task to Paladox.Jan 24 2019, 03:50
Void added a comment.Jan 24 2019, 04:58

As a followup to this task, we're thinking of modifying modifyGroupPermission.php so that it can remove a permission from all groups that contain it. This would make it easier to strip the right, as currently there are still wikis that have it. Hence https://git.io/fhwOy was done as a temporary measure.

John subscribed.Jan 24 2019, 10:30

You’d have to make a maint script to do and it’s easier to make a maintenance script loop all groups then modify a single purpose function to do the job.

IMHO the maint script is the solution.

Southparkfan raised the priority of this task from High to Unbreak Now!.EditedJan 24 2019, 11:59

Confirmed so far: this right was assigned to the 'sysop' group on all wikis with this extension enabled (as of this moment 86 wikis) since February 8, 2017.

I have searched through all access log files on the cache proxies to see if Special:EditProfile was accessed. There was one hit (P173) and it does look like the email address of this user was changed..?

Query to fetch all log entries (not sure how to find out *IF* email address was changed) where target user does not equal actor:

select log_title,actor_name from logging inner join user on logging.log_title = user.user_name inner join actor on logging.log_actor = actor.actor_id where log_type = 'profile' and log_title <> actor_name;

Reults: P174

Herald added a project: Amanda Catherine. · View Herald TranscriptJan 24 2019, 11:59
Southparkfan changed the visibility from "Custom Policy" to "Custom Policy".Jan 24 2019, 12:00
Southparkfan removed a project: Amanda Catherine.
Void added a comment.Jan 24 2019, 13:42

If it helps, I discovered this by accidentally stripping the email from two or three spambot accounts on allthetropeswiki.

Southparkfan added a comment.Jan 25 2019, 10:39

The issue has been identified and fixed and a list of affected wikis has been generated by @Paladox.

Notices must go out today, that is our top priority now. @John since you worked on that for our August 2018 Security Disclosure, could you assist this time as well?

Paladox added a comment.Jan 25 2019, 14:39

Also the dutch authorities will have to be told too.

Paladox added a subscriber: labster.Jan 25 2019, 15:07
Southparkfan added a comment.EditedJan 25 2019, 21:24

Notices have been put on Meta, Facebook and Twitter. Emails have been sent out as necessary.

Southparkfan added a comment.Jan 27 2019, 21:57

This seems done, time to make this task public?

Paladox added a comment.Jan 27 2019, 22:15

+1 too ^^

John closed this task as Resolved.Jan 28 2019, 20:32

Already public anyway.

John changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 28 2019, 20:33
John changed the edit policy from "Custom Policy" to "All Users".
Herald added a subscriber: CnocBride. · View Herald TranscriptJan 28 2019, 20:33
Void mentioned this in T4864: Cannot remove SocialProfile spam due to permissions problem.Nov 21 2019, 18:17