Extension:OpenID 3.00 - Security Release

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Extension:OpenID 3.00 - Security Release

Ryan Lane-2
*Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID
extension for the case that MediaWiki is used as a “provider” and the wiki
allows renaming of users.

All previous versions of the OpenID extension used user-page URLs as
identity URLs. On wikis that use the OpenID extension as “provider” and
allows user renames, an attacker with rename privileges could rename a user
and could then create an account with the same name as the victim. This
would have allowed the attacker to steal the victim’s OpenID identity.

Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/<id>
as the user’s identity URL, <id> being the immutable MediaWiki-internal
userid of the user. The user’s old identity URL, based on the user’s
user-page URL, will no longer be valid.

The user’s user page can still be used as OpenID identity URL, but will
delegate to the special page.

This is a breaking change, as it changes all user identity URLs. Providers
are urged to upgrade and notify users, or to disable user renaming.

Respectfully,

Ryan Lane

https://gerrit.wikimedia.org/r/#/c/52722
Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2*
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Petr Bena
This is indeed a problem but given that rename permissions are granted
by default to bureaucrats who are most trusted users, and on small
wikis typically sysadmins with shell access, this shouldn't be very
dangerous. Sysadmin with shell access will be able to steal your
identity anyway.

It's a problem in case of large wikis like these on wmf

On Fri, Mar 8, 2013 at 2:19 AM, Ryan Lane <[hidden email]> wrote:

> *Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID
> extension for the case that MediaWiki is used as a “provider” and the wiki
> allows renaming of users.
>
> All previous versions of the OpenID extension used user-page URLs as
> identity URLs. On wikis that use the OpenID extension as “provider” and
> allows user renames, an attacker with rename privileges could rename a user
> and could then create an account with the same name as the victim. This
> would have allowed the attacker to steal the victim’s OpenID identity.
>
> Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/<id>
> as the user’s identity URL, <id> being the immutable MediaWiki-internal
> userid of the user. The user’s old identity URL, based on the user’s
> user-page URL, will no longer be valid.
>
> The user’s user page can still be used as OpenID identity URL, but will
> delegate to the special page.
>
> This is a breaking change, as it changes all user identity URLs. Providers
> are urged to upgrade and notify users, or to disable user renaming.
>
> Respectfully,
>
> Ryan Lane
>
> https://gerrit.wikimedia.org/r/#/c/52722
> Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2*
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Yuvi Panda
Was this the last blocker to getting the extension deployed?
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Thomas Gries
Am 08.03.2013 10:07, schrieb Yuvi Panda:
> Was this the last blocker to getting the extension deployed?
>
One, two or three further non-sec-related patches will follow in the
next days
which improve the user GUI, especially the preference tab for OpenID.

stay tuned...

Regards,
Tom


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Marc-Andre
In reply to this post by Petr Bena
On 03/08/2013 01:34 AM, Petr Bena wrote:
> this shouldn't be very
> dangerous

Even if it isn't in practice in the typical cases, it exposes a third
party to a risk they are unable to assess if they use that OpenID.  (And
it doesn't require a 'crat going rogue even here -- renames are
sometimes done without salting the former username and an unrelated
third party could create an account to reuse the username and then probe
plausible consumers of the ID).

-- Marc


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Ryan Lane-2
In reply to this post by Yuvi Panda
On Fri, Mar 8, 2013 at 1:07 AM, Yuvi Panda <[hidden email]> wrote:

> Was this the last blocker to getting the extension deployed?
>

On wikitech the blockers were the switch of the wiki name (from labsconsole
to wikitech) and this. There's still some issues that need to be worked out
for deployment on the main projects. Also, it needs a full review before
deployment to the projects, and we need to work out how this will affect
the OAuth plans. We have a kickoff meeting for this coming up soon. I'll
send updates when that occurs.

For deployment on wikitech I think I'd like to wait for a full security
review, so it may be a little while.

- Ryan
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Yuvi Panda
On Sat, Mar 9, 2013 at 3:49 AM, Ryan Lane <[hidden email]> wrote:
> On wikitech the blockers were the switch of the wiki name (from labsconsole
> to wikitech) and this. There's still some issues that need to be worked out
> for deployment on the main projects. Also, it needs a full review before
> deployment to the projects, and we need to work out how this will affect the
> OAuth plans. We have a kickoff meeting for this coming up soon. I'll send
> updates when that occurs.

Did anything come out of the Kickoff Meeting?


--
Yuvi Panda T
http://yuvi.in/blog

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Chris Steipp
On Sun, Jun 2, 2013 at 11:30 AM, Yuvi Panda <[hidden email]> wrote:
> On Sat, Mar 9, 2013 at 3:49 AM, Ryan Lane <[hidden email]> wrote:
>> On wikitech the blockers were the switch of the wiki name (from labsconsole
>> to wikitech) and this. There's still some issues that need to be worked out
>> for deployment on the main projects. Also, it needs a full review before
>> deployment to the projects, and we need to work out how this will affect the
>> OAuth plans. We have a kickoff meeting for this coming up soon. I'll send
>> updates when that occurs.
>
> Did anything come out of the Kickoff Meeting?

For OpenID, the plan coming out of the meetings is:
* As part of the current Auth Sprint, I'll be doing a full review of
OpenID with the goal of getting it deployed on the WMF cluster
* We are planning to make login.wikimedai.org an OpenID provider to
other WMF projects at some point in the near future

If you have any specific questions, feel free to ping me on or off list.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Yuvi Panda
On Tue, Jun 4, 2013 at 12:13 AM, Chris Steipp <[hidden email]> wrote:
> For OpenID, the plan coming out of the meetings is:
> * As part of the current Auth Sprint, I'll be doing a full review of
> OpenID with the goal of getting it deployed on the WMF cluster

Wonderful! Can you tell me the timeline of 'current auth sprint'?

> * We are planning to make login.wikimedai.org an OpenID provider to
> other WMF projects at some point in the near future

Super-wonderful :) Again, a rough timeline?

Looking forward to being able to use My Wikimedia Identity elsewhere :)


--
Yuvi Panda T
http://yuvi.in/blog

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Extension:OpenID 3.00 - Security Release

Chris Steipp
On Mon, Jun 3, 2013 at 11:52 AM, Yuvi Panda <[hidden email]> wrote:
> On Tue, Jun 4, 2013 at 12:13 AM, Chris Steipp <[hidden email]> wrote:
>> For OpenID, the plan coming out of the meetings is:
>> * As part of the current Auth Sprint, I'll be doing a full review of
>> OpenID with the goal of getting it deployed on the WMF cluster
>
> Wonderful! Can you tell me the timeline of 'current auth sprint'?

We are trying to finish the items in scope (SUL rework, OAuth, and a
review of the OpenID extension) by the end of this month.

>> * We are planning to make login.wikimedai.org an OpenID provider to
>> other WMF projects at some point in the near future
>
> Super-wonderful :) Again, a rough timeline?
>
> Looking forward to being able to use My Wikimedia Identity elsewhere :)
>
>
> --
> Yuvi Panda T
> http://yuvi.in/blog

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l