Jeremy Stanley <[email protected]> writes: > On 2016-02-12 17:09:12 +0000 (+0000), Jeremy Stanley wrote: >> Wow! That's interesting. I wonder if there's an auth hole in the >> mobile browser support in Mediawiki? If you try to log in with a >> normal browser it sends you to login.launchpad.net to do OpenID >> authentication. > > It does indeed look like Mediawiki "Mobile View" uses standard > password authentication and not the OpenID authentication we force > for the normal "Desktop View." The account creation process for it > at > <URL: > https://wiki.openstack.org/w/index.php?title=Special:UserLogin&type=signup&returnto=Main+Page&returntoquery=campaign%3DleftNavSignup >> > prompts for a "secret word" so if that's something > default/discoverable/guessable then I suppose this is a trivial > bypass of our OpenID restriction. Anybody happen to be familiar with > this? I'm inclined to figure out how to disable the mobile view > until someone has time to research and fix it to use OpenID > exclusively.
I spot-checked three of the spammer accounts in the db; they had launchpad OpenID accounts. -Jim _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
