[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T361295

CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them
Closed, ResolvedPublic2 Estimated Story PointsSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
Mar 28 2024, 8:04 PM
Tags
Referenced Files
F44155718: T361295.patch
Apr 2 2024, 11:28 AM
F43693102: image.png
Mar 28 2024, 8:41 PM
F43689992: image.png
Mar 28 2024, 8:04 PM
F43690557: image.png
Mar 28 2024, 8:04 PM
F43690027: image.png
Mar 28 2024, 8:04 PM
Subscribers
Aklapper
Djackson-ctr
dom_walden
Dreamy_Jazz
gerritbot
GMikesell-WMF
kostajh
View All 9 Subscribers

Description

If a user with the checkuser group, but not the suppressor group, performs a 'ipusers` CheckUser API request on an IP address which has been used by a user that has been blocked with hideuser, then the username of the hidden user will be displayed.

Note: This was an issue before the refactoring done in T341827, and so that ticket has not caused this (in fact it fixed log entries having deleted information displayed).

For example:

The block entry with hideuser setThe leak in the ipusers check typethe leak in the actions check typeThe contributions page for that hidden user
image.png (96×1 px, 39 KB)
image.png (508×1 px, 58 KB)
image.png (454×1 px, 61 KB)
image.png (304×1 px, 28 KB)
Steps to reproduce
  1. Block a user with hideuser enabled using an account with the suppressor group
  2. Log into an account with just the checkuser group
  3. Open Special:ApiSandbox and select action as query, list as checkuser, and then curequest as ipusers or actions
  4. Provide the check target as an IP address used by the account that was blocked in step 2
  5. Run the check
  6. Search for the username of the blocked user

Details

Author Affiliation
WMF Technology Dept
SubjectRepoBranchLines +/-
SECURITY: Hide hidden usernames in the CheckUser APImediawiki/extensions/CheckUserREL1_39+48 -7
SECURITY: Hide hidden usernames in the CheckUser APImediawiki/extensions/CheckUserREL1_40+48 -8
SECURITY: Hide hidden usernames in the CheckUser APImediawiki/extensions/CheckUserREL1_41+47 -8
SECURITY: Hide hidden usernames in the CheckUser APImediawiki/extensions/CheckUsermaster+129 -2
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Mar 28 2024, 8:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2024, 8:04 PM
Dreamy_Jazz attached a referenced file: F43689992: image.png. (Show Details)Mar 28 2024, 8:04 PM
Dreamy_Jazz attached a referenced file: F43690027: image.png. (Show Details)
JJMC89 added a project: CheckUser.Mar 28 2024, 8:06 PM
Dreamy_Jazz updated the task description. (Show Details)Mar 28 2024, 8:08 PM
Dreamy_Jazz added a project: Trust and Safety Product Team.
JJMC89 added a project: Vuln-Infoleak.Mar 28 2024, 8:11 PM
Dreamy_Jazz mentioned this in T341827: Add read new support to the CheckUser API.Mar 28 2024, 8:13 PM
Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)).
Dreamy_Jazz added subscribers: Tchanders, STran, kostajh.
Dreamy_Jazz renamed this task from CheckUser API for the 'ipusers' request type shows hidden usernames to those who cannot see them to CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them.Mar 28 2024, 8:41 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 2 2024, 9:11 AM
Dreamy_Jazz claimed this task.Apr 2 2024, 10:44 AM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 2 2024, 11:28 AM
Dreamy_Jazz added a project: Patch-For-Review.

Proposed patch:

T361295.patch9 KBDownload

Dreamy_Jazz set the point value for this task to 2.Apr 2 2024, 11:29 AM
sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Apr 2 2024, 5:53 PM
sbassett added a project: security-bug.Apr 2 2024, 6:59 PM
Tchanders added a comment.Apr 3 2024, 11:14 AM

Looks good: +2

Tchanders added a comment.Apr 3 2024, 11:15 AM

In general, as a user with 'checkuser' but not 'hideuser' I can search for the IPs of a hidden user's username and see the same results as if I had 'hideuser' (via the API and Special:CheckUser). I would have to guess their name correctly, of course. Is this a problem worth fixing?

Dreamy_Jazz added a comment.Apr 3 2024, 1:03 PM
In T361295#9683847, @Tchanders wrote:

In general, as a user with 'checkuser' but not 'hideuser' I can search for the IPs of a hidden user's username and see the same results as if I had 'hideuser' (via the API and Special:CheckUser). I would have to guess their name correctly, of course. Is this a problem worth fixing?

Considering that Special:Log will show the log entries matching a hidden username if you search by the exact username and that checks are logged, I think the risk of someone guessing usernames to find a hidden username is low and also a user who already knows the username doesn't have the information leaked to them by the CheckUser interfaces (because they know the username).

Dreamy_Jazz added a comment.Apr 3 2024, 1:03 PM

I will deploy this soon.

Dreamy_Jazz moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 3 2024, 1:03 PM
Dreamy_Jazz added a comment.Apr 4 2024, 3:04 PM

Deployed now.

Dreamy_Jazz added a subscriber: gerritbot.Apr 4 2024, 3:18 PM
gerritbot added a comment.Apr 4 2024, 3:19 PM

Change #1017095 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1017095

gerritbot added a comment.Apr 4 2024, 3:56 PM

Change #1017095 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1017095

Jdforrester-WMF added a project: MW-1.42-notes (1.42.0-wmf.25; 2024-04-02).Apr 4 2024, 4:01 PM
gerritbot added a comment.Apr 4 2024, 6:08 PM

Change #1016884 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_41] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1016884

gerritbot added a comment.Apr 4 2024, 6:24 PM

Change #1016885 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1016885

gerritbot added a comment.Apr 4 2024, 6:52 PM

Change #1017126 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1017126

gerritbot added a comment.Apr 4 2024, 6:59 PM

Change #1016884 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_41] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1016884

gerritbot added a comment.Apr 4 2024, 7:18 PM

Change #1016885 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_40] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1016885

Dreamy_Jazz moved this task from In Progress to Needs QA on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 4 2024, 7:24 PM
Dreamy_Jazz added subscribers: GMikesell-WMF, Djackson-ctr, dom_walden.
gerritbot added a comment.Apr 4 2024, 7:26 PM

Change #1017126 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide hidden usernames in the CheckUser API

https://gerrit.wikimedia.org/r/1017126

dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 5 2024, 2:50 PM

I suppress blocked every user on my wiki, but made sure all revisions, logs and archived revisions were visible (deleted value of 0). I then ran the CheckUser API for every username and IP in cu_changes. I could only see suppressed usernames in the "summary" of the actions request type.

When I then change the visibility of revisions and logs to deleted I do not see any usernames in the API response.

Test environment: Local docker CheckUser 2.5 (10af857) 15:58, 4 April 2024.

Dreamy_Jazz closed this task as Resolved.Apr 5 2024, 3:22 PM
hashar subscribed.Apr 9 2024, 8:26 AM

I have removed the patch from the deployment server since it got merged and made its way to the MediaWiki deployment train this week.

mmartorana renamed this task from CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them to CVE-2024-40610: CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them.Jul 8 2024, 5:32 PM
hashar unsubscribed.Jul 8 2024, 9:04 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 10 2024, 8:51 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits