CVE-2024-34505: Temporary account IP reveal does not check the deleted status of the performer before revealing the IP address associated with an edit/log event
Closed, ResolvedPublic2 Estimated Story PointsSecurity
Actions

Assigned To

Authored By

	Dreamy_Jazz
	Jan 19 2024, 3:13 PM

Description

The CheckUser extension provides the ability for users with the checkuser-temporary-account right to view the IP address associated with temporary accounts. This REST API does not check the deleted status of the performer on log actions and edits that are looked up.

The risk with this is somewhat limited because you must already know the temporary account username. However, these are auto-generated in a serial manner which means that guessing the username is not difficult if you make multiple requests or look at Special:ListUsers for missing usernames.

The risk with this is that users who log out of their account by accident and then make an edit have the IP address that made the edit suppressed on WMF wikis. However, if the wiki uses temporary accounts then suppressing the performer of the edit and/or blocking the temporary account with hideuser enabled does not prevent a user from using the REST API to find the IP address used to make the edit. This would allow an attacker to get the IP address associated with a registered user who forgot to log in to make their edit, even if the users with the ability to suppress information had attempted to hide the data.

Note: This security issue is currently not exploitable on production as temporary accounts are not enabled there and this REST API can only be used if temporary accounts are enabled. This does affect any third-party wiki that uses CheckUser with temporary account autocreation enabled.

Steps to reproduce

Make an edit on a wiki with temporary account creation enabled
Log into an account with the ability to suppress information
Suppress the temporary account username on the edit made in step 1
Log out and into an account with just the checkuser-temporary-account right
Go to Special:Preferences and make sure to check the checkuser-temporary-account-enable preference
Make a GET request to the REST API with the URL /checkuser/v0/temporaryaccount/{name}/revisions/{ids} where {name} is replaced with the temporary account username used to make the edit in step 1 and the {ids} is replaced with the revision ID of the edit made in step 1

What happens
The IP address associated with the edit made in step 1 is returned

What should have happened
The IP address was not returned as the performer of the edit was suppressed

QA Results - Local

AC	Status	Details
1	✅	https://phabricator.wikimedia.org/T355434 here

Details

Risk Rating: Medium
Author Affiliation: WMF Technology Dept

Subject	Repo	Branch	Lines +/-
[SECURITY] Check for deleted status in temp account REST APIs	mediawiki/extensions/CheckUser	master	+520 -20
[SECURITY] Check for deleted status in temp account REST APIs	mediawiki/extensions/CheckUser	REL1_41	+192 -5
[SECURITY] Check for deleted status in temp account REST APIs	mediawiki/extensions/CheckUser	REL1_40	+155 -4

Customize query in gerrit

Related Objects

Mentioned In: T357523: Temporary account IP reveal fails for log entries that are for the creation of a page
T353904: Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1)
Mentioned Here: T357523: Temporary account IP reveal fails for log entries that are for the creation of a page
rECHU4642899346f2: build: Updating dependencies
rMW289a900665ed: Allow filter: in inline CSS.
T353904: Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1)

Event Timeline

Dreamy_Jazz created this task.Jan 19 2024, 3:13 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 19 2024, 3:13 PM

Dreamy_Jazz added projects: Trust and Safety Product Team, CheckUser, Temporary accounts.Jan 19 2024, 3:13 PM

Dreamy_Jazz updated the task description. (Show Details)Jan 19 2024, 3:18 PM

Dreamy_Jazz added subscribers: Urbanecm_WMF, Tchanders, STran, kostajh.

Dreamy_Jazz updated the task description. (Show Details)Jan 19 2024, 3:20 PM

Dreamy_Jazz updated the task description. (Show Details)

Urbanecm added a subscriber: Vermont.Jan 19 2024, 4:23 PM

Tchanders added a subscriber: Madalina.Jan 19 2024, 6:40 PM

Tchanders added a project: Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)).Jan 19 2024, 7:03 PM

Dreamy_Jazz updated the task description. (Show Details)Jan 22 2024, 12:44 PM

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jan 22 2024, 5:13 PM

Dreamy_Jazz claimed this task.Jan 22 2024, 6:22 PM

Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)) board.

Dreamy_Jazz moved this task from Inbox to Ready on the Temporary accounts board.Jan 24 2024, 4:19 PM

@sbassett can I just upload the fix publicly and then backport it? I think this is okay because:

This does not affect production (because temporary accounts are not enabled), and as such does not need to be deployed there
CheckUser is not a bundled extension, and as such my understanding is that security patches can be backported at any time after production is fixed (which doesn't apply because of point 1)

I ask this because I want to run the patch I have through CI, which I can't do unless it is on gerrit.

I have the following which I think is ready for review. The tests pass on my local environment, but I do not know whether they will pass in CI.

T355434.patch18 KBDownload

Dreamy_Jazz moved this task from In Progress to Needs review on the Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)) board.Jan 24 2024, 6:48 PM

Dreamy_Jazz set the point value for this task to 2.Jan 24 2024, 6:51 PM

In T355434#9486169, @Dreamy_Jazz wrote:

@sbassett can I just upload the fix publicly and then backport it? I think this is okay because:

This does not affect production (because temporary accounts are not enabled), and as such does not need to be deployed there

CheckUser is not a bundled extension, and as such my understanding is that security patches can be backported at any time after production is fixed (which doesn't apply because of point 1)

I'd agree that having this go through gerrit is low-risk given the above justifications. We can open up this task as well, if you'd like, though I did add @gerritbot as a subscriber. I'd also like to track this at T353904.

In T355434#9486206, @sbassett wrote:

In T355434#9486169, @Dreamy_Jazz wrote:

@sbassett can I just upload the fix publicly and then backport it? I think this is okay because:

This does not affect production (because temporary accounts are not enabled), and as such does not need to be deployed there

CheckUser is not a bundled extension, and as such my understanding is that security patches can be backported at any time after production is fixed (which doesn't apply because of point 1)

I'd agree that having this go through gerrit is low-risk given the above justifications. We can open up this task as well, if you'd like, though I did add @gerritbot as a subscriber. I'd also like to track this at T353904.

Thanks. I will upload to this gerrit now.

We can probably leave this protected until the backports are done, but happy either way.

Change 992795 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [SECURITY] Check for deleted status in temp account REST APIs

https://gerrit.wikimedia.org/r/992795

gerritbot added a project: Patch-For-Review.Jan 24 2024, 7:02 PM

Change 992769 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_41] [SECURITY] Check for deleted status in temp account REST APIs

https://gerrit.wikimedia.org/r/992769

Change 992770 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_40] [SECURITY] Check for deleted status in temp account REST APIs

https://gerrit.wikimedia.org/r/992770

Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)); removed Trust and Safety Product Sprint (Sprint Northumbrian smallpipes (8th Jan.‘24 - 19th Jan.'24)).Jan 29 2024, 1:07 PM

Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Jan 29 2024, 1:30 PM

Change 992770 abandoned by Dreamy Jazz:

[mediawiki/extensions/CheckUser@REL1_40] [SECURITY] Check for deleted status in temp account REST APIs

Reason:

Discussed in TSP meeting and decided that we shouldn't need backports.

https://gerrit.wikimedia.org/r/992770

Change 992769 abandoned by Dreamy Jazz:

[mediawiki/extensions/CheckUser@REL1_41] [SECURITY] Check for deleted status in temp account REST APIs

Reason:

Discussed in a TSP meeting and decided this shouldn't need backports.

https://gerrit.wikimedia.org/r/992769

Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Jan 30 2024, 11:00 AM

Change 992795 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] [SECURITY] Check for deleted status in temp account REST APIs

https://gerrit.wikimedia.org/r/992795

sbassett triaged this task as Medium priority.Feb 5 2024, 4:27 PM

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Medium.

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.Feb 5 2024, 4:31 PM

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.17; 2024-02-06).Feb 5 2024, 5:00 PM

Suggested QA steps:

Enable temporary account autocreation
Make at least two edits and two log actions on one temporary account username. Then make one or more edits on another temporary account username.
Log into an account with the checkuser and suppress groups
Block the second temporary account from step 2 with hideuser
Suppress the performer of one edit and one log action from the temporary user created first in step 2. Note down the revision ID and log ID you suppressed for future steps.
Make a request to /checkuser/v0/temporaryaccount/{name} where {name} is replaced with the temporary account you suppressed in step 4
Verify that you see IP addresses in the result
Log out and then log into an account with just the checkuser group
Repeat step 6 and verify that you instead receive a 404 error
Get the revision ID of the suppressed edit from step 5and one other revision ID for an edit performed by that temporary account. Use these to make a request to /checkuser/v0/temporaryaccount/{name}/revisions/{ids} where {ids} is generated by combining the revision IDs using the | character and {name} is the temporary account username. For example, /checkuser/v0/temporaryaccount/*Unregistered 10/revisions/101|102
Verify that the response to the request in step 10 has one entry in the ips array for the revision ID that did not have the performer suppressed, but the revision ID that was suppressed is not present.
Get the log ID of the suppressed log from step 5 and one other log ID performed by that temporary account. Use these to make a request to /checkuser/v0/temporaryaccount/{name}/logs/{ids} where {ids} is generated by combining the log IDs using the | character and {name} is the temporary account username. For example, /checkuser/v0/temporaryaccount/*Unregistered 10/logs/101|102
Verify that the response to the request in step 12 has one entry in the ips array for the log ID that did not have the performer suppressed, but the log ID that was suppressed is not present.

sbassett mentioned this in T353904: Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1).Feb 7 2024, 8:48 PM

Maintenance_bot removed a project: Patch-For-Review.Feb 7 2024, 9:30 PM

@Dreamy_Jazz Everything was good until the last couple of steps for me with the logs. Can you please review the .webm I have below to see if I'm missing something from steps 12-13?

Status: ❌ FAIL (Steps 12-13)
Environment: Local: 1.42.0-alpha (289a900)17:59, 13 February 2024; Checkuser: 2.5 (4642899) 11:11, 13 February 2024
OS: macOS Sonoma 14.2.1
Browser: Chrome 121
Skins. Vector 2022
Device: MBA M2
Emulated Device:: n/a
Test Links:
http://localhost:8080/w/index.php?title=Lion&action=history
http://localhost:8080/w/index.php?title=Samurai&action=history

Steps 1-3 ✅

Temp Acct (2 edits/2log)	Temp Acct just edits	User w/checkuser &suppress

Steps 4-7 ✅

Steps 8-9 ✅

Steps 10-11 ✅

Steps 12-13 Log ID 17 is suppressed Special:Log ❌
http://localhost:8080/w/rest.php/checkuser/v0/temporaryaccount/~2024-13/logs/16|17

GMikesell-WMF updated the task description. (Show Details)Feb 13 2024, 8:11 PM

Dreamy_Jazz mentioned this in T357523: Temporary account IP reveal fails for log entries that are for the creation of a page.Feb 14 2024, 12:19 PM

@Dreamy_Jazz

I tried another log type with "move" and I'm seeing both IP addresses even though the other one is suppressed as seen in the .webm below with a user with only checkuser only rights.

@Dreamy_Jazz Previous steps have been passed as seen in https://phabricator.wikimedia.org/T355434#9539736. After suppressing in Special:Log for step 12, I was able to get the result as expected as seen in the screenshots below. The original issue that was noticed of that the CheckUser extension does not store the IP address associated with the log event for page creation, T357523: Temporary account IP reveal fails for log entries that are for the creation of a page has been created. This task will be moved to Done. Thanks for all your work and steps!

Status: ✅PASS (Steps 12-13)
Environment: Local: 1.42.0-alpha (289a900)17:59, 13 February 2024; Checkuser: 2.5 (4642899) 11:11, 13 February 2024
OS: macOS Sonoma 14.2.1
Browser: Chrome 121
Skins. Vector 2022
Device: MBA M2
Emulated Device:: n/a
Test Links:
http://localhost:8080/w/index.php?title=King_of_Beasts&action=history
Special:Log

Log Surpressed	Result

GMikesell-WMF updated the task description. (Show Details)Feb 14 2024, 7:07 PM

GMikesell-WMF moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Kazoo (Jan 29 - Feb 9 2024)) board.

Dreamy_Jazz closed this task as Resolved.Feb 14 2024, 7:28 PM

Johannnes89 subscribed.Apr 26 2024, 3:09 PM

Mstyles renamed this task from Temporary account IP reveal does not check the deleted status of the performer before revealing the IP address associated with an edit/log event to CVE-2024-34505: Temporary account IP reveal does not check the deleted status of the performer before revealing the IP address associated with an edit/log event.May 6 2024, 9:09 AM

Dreamy_Jazz moved this task from General / Unsorted to Temporary account IP reveal on the CheckUser board.May 28 2024, 4:53 PM

	F41884523: T355434_CU_TU.webm
	Feb 13 2024, 8:10 PM

CVE-2024-34505: Temporary account IP reveal does not check the deleted status of the performer before revealing the IP address associated with an edit/log eventClosed, ResolvedPublic2 Estimated Story PointsSecurityActions