Watchlistr.com, an outside site that asks for Wikimedia passwords

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Watchlistr.com, an outside site that asks for Wikimedia passwords

Sage Ross
I'm not sure what to do about this; it seems like a good idea but a
major security risk:

http://www.watchlistr.com/ is a site that creates aggregate watchlists
across multiple projects. See
http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool

The user who made it has very little editing history, and the site
aggregates watchlists across multiple projects, but requires inputting
your Wikimedia password into the watchlistr.com site.  I have no
specific reason to think it's a scam, but if I was trying to phish
passwords I would do something like this.

-Sage Ross (User:Ragesoss)

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

David Gerard-2
2009/7/22 Sage Ross <[hidden email]>:

> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
> The user who made it has very little editing history, and the site
> aggregates watchlists across multiple projects, but requires inputting
> your Wikimedia password into the watchlistr.com site.  I have no
> specific reason to think it's a scam, but if I was trying to phish
> passwords I would do something like this.


Would something on the toolserver be safe enough in these terms?


- d.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Michael Rosenthal
The toolserver rules forbid that:
https://wiki.toolserver.org/view/Rules (#8)

However there is gWatch which works without authentication:
http://toolserver.org/~luxo/gwatch/login.php



On Wed, Jul 22, 2009 at 9:59 PM, David Gerard<[hidden email]> wrote:

> 2009/7/22 Sage Ross <[hidden email]>:
>
>> http://www.watchlistr.com/ is a site that creates aggregate watchlists
>> across multiple projects. See
>> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
>> The user who made it has very little editing history, and the site
>> aggregates watchlists across multiple projects, but requires inputting
>> your Wikimedia password into the watchlistr.com site.  I have no
>> specific reason to think it's a scam, but if I was trying to phish
>> passwords I would do something like this.
>
>
> Would something on the toolserver be safe enough in these terms?
>
>
> - d.
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Daniel Schwen-2
In reply to this post by David Gerard-2
>> your Wikimedia password into the watchlistr.com site.  I have no
>> specific reason to think it's a scam, but if I was trying to phish
>> passwords I would do something like this.
> Would something on the toolserver be safe enough in these terms?

It would seem more trustworthy, but if i recall correctly it is
explicity forbidden to ask for user passwords on the toolserver.
(Which is why Magnus jumped through hoops the create his TUSC thingie)

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

David Gerard-2
In reply to this post by Michael Rosenthal
2009/7/22 Michael Rosenthal <[hidden email]>:
> On Wed, Jul 22, 2009 at 9:59 PM, David Gerard<[hidden email]> wrote:
>> 2009/7/22 Sage Ross <[hidden email]>:

>>> http://www.watchlistr.com/ is a site that creates aggregate watchlists
>>> across multiple projects. See
>>> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
>>> The user who made it has very little editing history, and the site
>>> aggregates watchlists across multiple projects, but requires inputting
>>> your Wikimedia password into the watchlistr.com site.  I have no
>>> specific reason to think it's a scam, but if I was trying to phish
>>> passwords I would do something like this.

>> Would something on the toolserver be safe enough in these terms?

> The toolserver rules forbid that:
> https://wiki.toolserver.org/view/Rules (#8)
> However there is gWatch which works without authentication:
> http://toolserver.org/~luxo/gwatch/login.php


Mmm. So solving this properly would require solving many of the
various consolidated/multiple watchlist bugs in MediaWiki itself,
then.


- d.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Gregory Maxwell
On Wed, Jul 22, 2009 at 4:18 PM, David Gerard<[hidden email]> wrote:
> Mmm. So solving this properly would require solving many of the
> various consolidated/multiple watchlist bugs in MediaWiki itself,
> then.

Hm? No. Solving *this* involves having a sysadmin determine the source
of IP of the remote logins and scrambling the password of every
account which has logged in through it.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Gerard Meijssen-3
In reply to this post by Sage Ross
Hoi,
Would OpenID make a difference ? It seems to me that when you authenticate
to both WMF projects and to this watchlistr, you would not expose passwords
in the wrong place. It seems to be also a solution of allowing Commons to
authenticate in this way.
Thanks,
      GerardM

2009/7/22 Sage Ross
<[hidden email]<ragesoss%[hidden email]>
>

> I'm not sure what to do about this; it seems like a good idea but a
> major security risk:
>
> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
>
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
>
> The user who made it has very little editing history, and the site
> aggregates watchlists across multiple projects, but requires inputting
> your Wikimedia password into the watchlistr.com site.  I have no
> specific reason to think it's a scam, but if I was trying to phish
> passwords I would do something like this.
>
> -Sage Ross (User:Ragesoss)
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Gregory Maxwell
On Wed, Jul 22, 2009 at 4:41 PM, Gerard
Meijssen<[hidden email]> wrote:
> Hoi,
> Would OpenID make a difference ? It seems to me that when you authenticate
> to both WMF projects and to this watchlistr, you would not expose passwords
> in the wrong place. It seems to be also a solution of allowing Commons to
> authenticate in this way.

No, not really.

In this case the site wants your credentials so that it can scrape
your watchlists.

If it has your credentials it can impersonate you, which is bad.

It addressed by making it possible for the site to generate access
cookies for particular resources which you could share.  I.e.
"generate a code that gives someone read only access to my watchlist".

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Happy-melon
In reply to this post by Sage Ross
I have a Greasemonkey script that does this, IMO, very nicely.  I'm not 100%
sure how GM script distribution works, but can't a server put files in a
particular directory to have them be automatically suggested for
installation by Greasemonkey?

I know it's not a perfect or even nice solution, but it might help reduce
the incentive for this sort of thing.  "Well, you *could* give your login
credentials to this unafiliated unknown site, or you could just install this
WMF-endorsed script on your open source Firefox extension..." isn't a very
difficult decision...

--HM

"Sage Ross" <[hidden email]> wrote in message
news:[hidden email]...

> I'm not sure what to do about this; it seems like a good idea but a
> major security risk:
>
> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
>
> The user who made it has very little editing history, and the site
> aggregates watchlists across multiple projects, but requires inputting
> your Wikimedia password into the watchlistr.com site.  I have no
> specific reason to think it's a scam, but if I was trying to phish
> passwords I would do something like this.
>
> -Sage Ross (User:Ragesoss)



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Aryeh Gregor
In reply to this post by David Gerard-2
On Wed, Jul 22, 2009 at 7:07 PM, Sage Ross<[hidden email]> wrote:
> I'm not sure what to do about this; it seems like a good idea but a
> major security risk:
>
> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool

I think the thing to do about it is block it at the firewall and tell
the user to immediately delete all the data they gathered and never do
anything like it again.  We aren't even just talking about malice
here, if someone else compromises the server they could get access to
a whole bunch of admin accounts if it becomes popular.

The proper way to handle this would either be some form or other of
software support, or use a toolserver tool with direct database
access.

On Wed, Jul 22, 2009 at 7:59 PM, David Gerard<[hidden email]> wrote:
> Would something on the toolserver be safe enough in these terms?

Toolserver projects are forbidden from asking users for login info.
However, the watchlist tables are replicated to the toolserver, just
not made available to unprivileged users.  If a user wanted to make a
script like this, it would be simple to give special access to the
tables to allow it (possibly restricted in such a fashion that the
script author didn't get access, only his vetted code).  The tool
could deal with authentication by, e.g., giving the user an
autogenerated URL and a confirmation code to add to a magic user
subpage (it could check what user created the page).

On Wed, Jul 22, 2009 at 10:40 PM, Happy-melon<[hidden email]> wrote:
> I have a Greasemonkey script that does this, IMO, very nicely.  I'm not 100%
> sure how GM script distribution works, but can't a server put files in a
> particular directory to have them be automatically suggested for
> installation by Greasemonkey?

Greasemonkey is far from ideal.  It only works on the computer you
install it on, and only works for Firefox users.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Ryan Lane-2
In reply to this post by Gregory Maxwell
On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwell<[hidden email]> wrote:

> On Wed, Jul 22, 2009 at 4:41 PM, Gerard
> Meijssen<[hidden email]> wrote:
>> Hoi,
>> Would OpenID make a difference ? It seems to me that when you authenticate
>> to both WMF projects and to this watchlistr, you would not expose passwords
>> in the wrong place. It seems to be also a solution of allowing Commons to
>> authenticate in this way.
>
> No, not really.
>
> In this case the site wants your credentials so that it can scrape
> your watchlists.
>
> If it has your credentials it can impersonate you, which is bad.
>
> It addressed by making it possible for the site to generate access
> cookies for particular resources which you could share.  I.e.
> "generate a code that gives someone read only access to my watchlist".
>

What about OpenID + OAuth?

Neither the OpenID plugin, or MediaWiki really support RBAC in a way
that would make this work, but it is definitely possible.

V/r,

Ryan Lane

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Aryeh Gregor
On Thu, Jul 23, 2009 at 12:11 AM, Ryan Lane<[hidden email]> wrote:
> What about OpenID + OAuth?

With MediaWiki support, there would be any number of ways to do it.
Most obvious would be to just have a preference checkbox somewhere
that would create a secret magic URL that would allow unauthenticated
access to your watchlist.  That's the main way that's been put forward
to allow RSS feeds for watchlists.

> Neither the OpenID plugin, or MediaWiki really support RBAC in a way
> that would make this work, but it is definitely possible.

I'm not sure what "RBAC" means here.  We sure do have RBAC for user
accounts -- $wgGroupPermissions does that just fine.  We don't
generically permit users to set up discretionary access control lists
to delegate all their privileges, however.  That would be . . . kind
of bizarre.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Ryan Lane-2
On Wed, Jul 22, 2009 at 7:30 PM, Aryeh
Gregor<[hidden email]> wrote:

> On Thu, Jul 23, 2009 at 12:11 AM, Ryan Lane<[hidden email]> wrote:
>> What about OpenID + OAuth?
>
> With MediaWiki support, there would be any number of ways to do it.
> Most obvious would be to just have a preference checkbox somewhere
> that would create a secret magic URL that would allow unauthenticated
> access to your watchlist.  That's the main way that's been put forward
> to allow RSS feeds for watchlists.
>
>> Neither the OpenID plugin, or MediaWiki really support RBAC in a way
>> that would make this work, but it is definitely possible.
>
> I'm not sure what "RBAC" means here.  We sure do have RBAC for user
> accounts -- $wgGroupPermissions does that just fine.  We don't
> generically permit users to set up discretionary access control lists
> to delegate all their privileges, however.  That would be . . . kind
> of bizarre.
>

Check out how the Flickr API works. Users can give web and desktop
apps privileges (read/write/delete).

It isn't really that bizarre of a concept.

V/r,

Ryan Lane

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Brianna Laugher
In reply to this post by Ryan Lane-2
2009/7/23 Ryan Lane <[hidden email]>:

> On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwell<[hidden email]> wrote:
>> On Wed, Jul 22, 2009 at 4:41 PM, Gerard
>> Meijssen<[hidden email]> wrote:
>>> Hoi,
>>> Would OpenID make a difference ? It seems to me that when you authenticate
>>> to both WMF projects and to this watchlistr, you would not expose passwords
>>> in the wrong place. It seems to be also a solution of allowing Commons to
>>> authenticate in this way.
>>
>> No, not really.
>>
>> In this case the site wants your credentials so that it can scrape
>> your watchlists.
>>
>> If it has your credentials it can impersonate you, which is bad.
>>
>> It addressed by making it possible for the site to generate access
>> cookies for particular resources which you could share.  I.e.
>> "generate a code that gives someone read only access to my watchlist".
>>
>
> What about OpenID + OAuth?

I think OAuth could be the way to go. (I had it explained to me as: a
way to let 3rd party apps access an service's API on your behalf,
without handing over your password of that service to the 3rd
parties.)

I was thinking that the only private data you can really access via
the API is watchlist, so it's barely worth it, but then I thought that
for 3rd party apps using the write API, you would definitely want to
have an option for a user to use their existing Wiki*edia accounts

cheers
Brianna

--
They've just been waiting in a mountain for the right moment:
http://modernthings.org/

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Aryeh Gregor
In reply to this post by Ryan Lane-2
On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lane<[hidden email]> wrote:
> Check out how the Flickr API works. Users can give web and desktop
> apps privileges (read/write/delete).
>
> It isn't really that bizarre of a concept.

Read/write/delete access to what?  The only cases where read access
would be relevant would be what, watchlist and preferences, pretty
much?  I don't think we'd want this for editing, or admin-only stuff
like viewing deleted pages.  Preferences probably don't have a serious
use-case, and if we're only left with watchlists, special-casing is
the way to go.

On Thu, Jul 23, 2009 at 1:18 AM, Brianna
Laugher<[hidden email]> wrote:
> I was thinking that the only private data you can really access via
> the API is watchlist, so it's barely worth it, but then I thought that
> for 3rd party apps using the write API, you would definitely want to
> have an option for a user to use their existing Wiki*edia accounts

It may not be able to take over their accounts, but it could still
edit pages as them, which amounts to the same thing for many practical
purposes.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

John Mark Vandenberg
In reply to this post by Aryeh Gregor
On Thu, Jul 23, 2009 at 9:57 AM, Aryeh
Gregor<[hidden email]> wrote:
> On Wed, Jul 22, 2009 at 10:40 PM, Happy-melon<[hidden email]> wrote:
>> I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100%
>> sure how GM script distribution works, but can't a server put files in a
>> particular directory to have them be automatically suggested for
>> installation by Greasemonkey?

Greasemonkey will try and install any file which ends in .js and
includes a few special words.

Where is this script?  I couldnt find it on userscripts.org or here:

http://en.wikipedia.org/wiki/Wikipedia:Tools/Greasemonkey_user_scripts

> Greasemonkey is far from ideal.  It only works on the computer you
> install it on, and only works for Firefox users.

That depends on how complex the script is; it could be turned into a
bookmarklet, and many other browsers support user-scripts.

http://en.wikipedia.org/wiki/Greasemonkey

--
John Vandenberg

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Tim Starling-2
In reply to this post by Sage Ross
Message from the developer. I will see if he's interested in
subscribing, but a forward will do for now.

-------- Original Message --------
Subject:     Re: Watchlistr
Date:     Thu, 23 Jul 2009 11:20:19 -0500
From:     Cody Jung <[hidden email]>
To:     Tim Starling <[hidden email]>

Hey there Tim,
Apologies, I am not actually sure how to post to a mailing list; if
you would, could you post this for me?


I completely understand the hesitation (and, indeed, the outright
repulsion) to my application. Although I am confident in the security
of Watchlistr, I realize that, out of the blue, it seems very
suspicious. When I saw the post by MrZaius on the Wikipedia Bounty
Board I thought to myself "Why hasn't anyone done this before? It
seems really easy to implement!"

Now I see why.

Therefore, I would like to address several points brought up by the
Wikitech-l mailing list users. I will start at the top of the thread
and work down, address various comments as I go.

To Sage Ross:
Although I have very little editing experience, as far as the
Wikimedia projects go, anyway, when I saw the request for a transwiki
watchlist tool, I thought "this is how I can help improve Wikipedia.
This is something I _know_ how to do, and well." I want to assure
everyone that my intentions were good (if not a little misguided), and
I have no intention of phishing for anyone's accounts.

To Michael Rosenthal:
I have looked at gWatch, but the fundamental issue I see with it is
the fact that you have to "watch" something twice -- you must manually
enter pages to watch, and that just seems a little silly.

To Gregory Maxwell and Aryeh Gregor:
Until such time as my application can be a) proven trustworthy, or b)
improved to *not* use passwords, I have removed all user accounts (all
4 of them...), and frozen registrations. I do, however, ask that you
_please_ do not block the the IP addresses at the server level. I am
on a shared hosting solution, and doing that could very well create
issues with other users with my host.

To help in the "proving trustworthy, or else" process, I have released
the source code of Watchlistr - please take a look at it. You will see
that I take the utmost care in securing user information. The wiki
logins are encrypted with AES in our database. The key used to encrypt
each user's login list is their site username, which is stored as a
SHA1 hash in our database. If a cracker were to, somehow, gain access
to the database, they would be left with a pile of garbage.

Here's how the site works:

User logs in -> Their username is hashed and checked against the
database, if it matches -> we make a session with that username as a
variable in it for later access.
When the user accesses their aggregate watchlist for the first time
each session, we take the username, decrypt the wiki list, and log
them in to their sites. The cURL cookies that result are then stored
above the web server, in a protected directory. The passwords do not
get used for the rest of the session (the stored cookies are used
instead).
When the user logs out, the session is destroyed and the cURL
cookiejar is deleted.

As for the other solutions that were presented - I was really trying
to create a cross-platform, cross-browser solution that would not
hinge on one particular technology. Javascript would be great, but
what if someone doesn't have JS enabled? OAuth and a read-only API
would be close-to-ideal, but they currently don't work with/don't
exist on the Wikimedia servers. I am, however, open to other workable
solutions that are presented - let me know.

Apologies once again for the uproar I have caused,
Cody Jung
Developer, Watchlistr


On Wed, Jul 22, 2009 at 10:48 PM, Tim
Starling<[hidden email]> wrote:
> Please comment on the wikitech-l discussion about whether or not to
> block watchlistr.com from Wikimedia servers:
>
> http://lists.wikimedia.org/pipermail/wikitech-l/2009-July/044238.html
>


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Aryeh Gregor
On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling<[hidden email]> wrote:
> To help in the "proving trustworthy, or else" process, I have released
> the source code of Watchlistr - please take a look at it. You will see
> that I take the utmost care in securing user information. The wiki
> logins are encrypted with AES in our database. The key used to encrypt
> each user's login list is their site username, which is stored as a
> SHA1 hash in our database. If a cracker were to, somehow, gain access
> to the database, they would be left with a pile of garbage.

They would only have to get the site usernames to decrypt the login
info.  They could get those the next time each user logs in, if
they're not detected immediately.  There's no way around this; if your
program can log in as the users, so can an attacker who's able to
subvert your program.

> As for the other solutions that were presented - I was really trying
> to create a cross-platform, cross-browser solution that would not
> hinge on one particular technology. Javascript would be great, but
> what if someone doesn't have JS enabled? OAuth and a read-only API
> would be close-to-ideal, but they currently don't work with/don't
> exist on the Wikimedia servers. I am, however, open to other workable
> solutions that are presented - let me know.

I would suggest you apply for a toolserver account:

https://wiki.toolserver.org/view/Account_approval_process

Once you have a toolserver account, I'd be willing to work with you to
arrange for some form of direct access to all wikis' watchlist tables
(I'm a toolserver root).  You then wouldn't need to possess any login
info.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Cody Jung
> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling<tstarling <at>
wikimedia.org> wrote:
>
> They would only have to get the site usernames to decrypt the login
> info.  They could get those the next time each user logs in, if
> they're not detected immediately.  There's no way around this; if your
> program can log in as the users, so can an attacker who's able to
> subvert your program.

Wouldn't adding a salt fix this? They would have to have both the
username, the database, and the salt value to decrypt the wiki list.

>
> I would suggest you apply for a toolserver account:
>
> https://wiki.toolserver.org/view/Account_approval_process
>
> Once you have a toolserver account, I'd be willing to work with you to
> arrange for some form of direct access to all wikis' watchlist tables
> (I'm a toolserver root).  You then wouldn't need to possess any login
> info.
>

I attempted to apply for a toolserver account, but it appears that the
server at http://toolserver.org/accountrequest is down (as of 1:27pm CDT).

~Cody



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Watchlistr.com, an outside site that asks for Wikimedia passwords

Happy-melon
In reply to this post by Aryeh Gregor


"Aryeh Gregor" <[hidden email]> wrote in message
news:[hidden email]...

> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling<[hidden email]>
> wrote:
>> To help in the "proving trustworthy, or else" process, I have released
>> the source code of Watchlistr - please take a look at it. You will see
>> that I take the utmost care in securing user information. The wiki
>> logins are encrypted with AES in our database. The key used to encrypt
>> each user's login list is their site username, which is stored as a
>> SHA1 hash in our database. If a cracker were to, somehow, gain access
>> to the database, they would be left with a pile of garbage.
>
> They would only have to get the site usernames to decrypt the login
> info.  They could get those the next time each user logs in, if
> they're not detected immediately.  There's no way around this; if your
> program can log in as the users, so can an attacker who's able to
> subvert your program.

Or, since the set of registered Wikimedia users is both vastly smaller than
the superset of all possible usernames (remember it's restricted to users
with a global login AFAICT), and readily accessible through a
high-throughput API, a brute-force attack would be, if not trivial,
certainly extremely feasible.

>
>> As for the other solutions that were presented - I was really trying
>> to create a cross-platform, cross-browser solution that would not
>> hinge on one particular technology. Javascript would be great, but
>> what if someone doesn't have JS enabled? OAuth and a read-only API
>> would be close-to-ideal, but they currently don't work with/don't
>> exist on the Wikimedia servers. I am, however, open to other workable
>> solutions that are presented - let me know.
>
> I would suggest you apply for a toolserver account:
>
> https://wiki.toolserver.org/view/Account_approval_process
>
> Once you have a toolserver account, I'd be willing to work with you to
> arrange for some form of direct access to all wikis' watchlist tables
> (I'm a toolserver root).  You then wouldn't need to possess any login
> info.

This looks like a *much* more acceptable system.  Although how would you
authenticate without collecting proscribed data...?

--HM



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
12