Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Aryeh Gregor]

On Sun, Jul 26, 2009 at 9:22 AM, Andrew Garrett wrote:
> Some feedback:
> * I think you should create a new field class for preferences to allow
> the user to enter a token or press a button to have one generated.
> This would also allow you to add the link to the feed underneath.
> * I think you should add appropriate meta tags and sidebar links to
> the RSS feed.

Feel free to do so yourself.  :)  I might find the time, or might not,
given my schedule these days.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Andrew Garrett]

On 24/07/2009, at 2:34 AM, Aryeh Gregor wrote:

> On Thu, Jul 23, 2009 at 2:32 PM, Cody Jung  
> wrote:
>> Wouldn't adding a salt fix this? They would have to have both the
>> username, the database, and the salt value to decrypt the wiki list.
>
> In other words, they would have to have access to your server, nothing
> more.  No, it wouldn't fix it.
>
> After some discussion in #wikimedia-toolserver, Duesentrieb pointed
> out that a) this issue would be solved if MediaWiki just allowed RSS
> feeds for watchlists, and b) it would probably take less work for me
> to add that feature to MediaWiki than to develop an authentication
> framework that would allow users to securely permit toolserver apps
> access to their watchlists.  MrZ-man helpfully pointed out that the
> API already supports watchlist feeds, so I was able to hack on support
> for token-based authentication pretty easily:
>
> http://www.mediawiki.org/wiki/Special:Code/MediaWiki/53703
>
> Major limitations right now are 1) the default is an empty string,
> which means "don't use", so it's opt-in; 2) the URL for the feed isn't
> actually output anywhere.  Watchlist aggregators should now be easy to
> set up, plus people can just use their favorite feed reader.

Awesome, I've been meaning to implement this for ages.

Some feedback:
* I think you should create a new field class for preferences to allow  
the user to enter a token or press a button to have one generated.  
This would also allow you to add the link to the feed underneath.
* I think you should add appropriate meta tags and sidebar links to  
the RSS feed.

--
Andrew Garrett
agarr...@wikimedia.org
http://werdn.us/


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Aryeh Gregor]

On Fri, Jul 24, 2009 at 2:24 AM, Tim Starling wrote:
> There's plenty of ways to attack watchlistr without fully compromising
> the server.

The point is that a system that allowed stealing the logins of
hundreds of Wikipedia users if you managed to compromise a third-party
website run to unknown security standards is unacceptable.  *Even* if
it's set up so you really do have to be able to run arbitrary code as
the web user to get the data -- and in this case security appeared to
be even lower.  Malice is also a concern in the general case, although
it might not be a concern here.

So any solution that allows either of the following is unacceptable:

1) The compromise of a(n additional) third-party party run to unknown
security standards could result in many Wikipedia user accounts being
taken over.

2) A third party becoming malicious could result in many Wikipedia
user accounts being taken over.

Hopefully my watchlist-reading code will be deemed acceptable.  I'm
reminded (by Domas, of course) that watchlists are actually a very
expensive operation, so I wouldn't be entirely surprised if this gets
$wgMiserModed away before or shortly after deployment, when users
start requesting 400 wikis' watchlists every fifteen minutes.  I wish
there were some good solution to this.  How do other sites handle
giant numbers of users watching changes to zillions of pages?
Throwing hardware at it?

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Tim Starling]

Aryeh Gregor wrote:
> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling wrote:

You know you could have changed that header to indicate who actually
wrote it. It's not against the laws of the internet.

>> To help in the "proving trustworthy, or else" process, I have released
>> the source code of Watchlistr - please take a look at it. You will see
>> that I take the utmost care in securing user information. The wiki
>> logins are encrypted with AES in our database. The key used to encrypt
>> each user's login list is their site username, which is stored as a
>> SHA1 hash in our database. If a cracker were to, somehow, gain access
>> to the database, they would be left with a pile of garbage.
> 
> They would only have to get the site usernames to decrypt the login
> info.  They could get those the next time each user logs in, if
> they're not detected immediately.  There's no way around this; if your
> program can log in as the users, so can an attacker who's able to
> subvert your program.

There's plenty of ways to attack watchlistr without fully compromising
the server. There is no HTML escaping whatsoever, so the thing is full
of XSS vulnerabilities.

For the most part it's escaped for SQL on the input side, which is
hard to verify and easy to mess up. Indeed I found a place where it
was messed up, an SQL injection vulnerability. It appears to allow
compromise of any user's wiki passwords. The AES encryption does not
affect the viability of the attack, since you can use XSS to screen
scrape the unhashed username.

I contacted Cody about this privately and he confirmed that the
scripts are offline and the user database has been deleted, so we're
free to talk about it publicly.

-- Tim Starling


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Aryeh Gregor]

On Thu, Jul 23, 2009 at 2:32 PM, Cody Jung wrote:
> Wouldn't adding a salt fix this? They would have to have both the
> username, the database, and the salt value to decrypt the wiki list.

In other words, they would have to have access to your server, nothing
more.  No, it wouldn't fix it.

After some discussion in #wikimedia-toolserver, Duesentrieb pointed
out that a) this issue would be solved if MediaWiki just allowed RSS
feeds for watchlists, and b) it would probably take less work for me
to add that feature to MediaWiki than to develop an authentication
framework that would allow users to securely permit toolserver apps
access to their watchlists.  MrZ-man helpfully pointed out that the
API already supports watchlist feeds, so I was able to hack on support
for token-based authentication pretty easily:

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/53703

Major limitations right now are 1) the default is an empty string,
which means "don't use", so it's opt-in; 2) the URL for the feed isn't
actually output anywhere.  Watchlist aggregators should now be easy to
set up, plus people can just use their favorite feed reader.

On Thu, Jul 23, 2009 at 6:47 PM, Brion Vibber wrote:
> At the moment, yes. However additional information is likely to end up
> existing in the future; some more social features ("friend" graph,
> mentor/mentee relationships, private messaging) would have obvious
> benefits to making new-user workflow smoother.

I hope MediaWiki doesn't start tacking on random social networking
features, though!

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Brion Vibber]

On 07/22/2009 06:39 PM, Aryeh Gregor wrote:
> On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lane  wrote:
>> Check out how the Flickr API works. Users can give web and desktop
>> apps privileges (read/write/delete).
>>
>> It isn't really that bizarre of a concept.
>
> Read/write/delete access to what?  The only cases where read access
> would be relevant would be what, watchlist and preferences, pretty
> much?

At the moment, yes. However additional information is likely to end up 
existing in the future; some more social features ("friend" graph, 
mentor/mentee relationships, private messaging) would have obvious 
benefits to making new-user workflow smoother.

-- brion

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Brion Vibber]

On 07/22/2009 05:11 PM, Ryan Lane wrote:
> On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwell  wrote:
>> If it has your credentials it can impersonate you, which is bad.
>>
>> It addressed by making it possible for the site to generate access
>> cookies for particular resources which you could share.  I.e.
>> "generate a code that gives someone read only access to my watchlist".
>>
>
> What about OpenID + OAuth?

In theory yes, I'd like to support that sort of thing.

(For those unfamiliar: this would allow third party tools or sites to 
request limited access on a user's behalf, without exposing the user's 
password credentials to that third-party tool. The user would need to 
agree to exactly which information would be provided to the tool, and 
would be able to revoke the access in the future.

This is broadly similar to the authorization for Flickr API clients and 
Facebook apps, but lots of sites are transitioning from their older 
proprietary protocols for this to OpenID+OAuth.)

-- brion

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Marco Schuster]

On Thu, Jul 23, 2009 at 8:50 PM, Happy-melon  wrote:

>
>
> "Aryeh Gregor" 
> >
> wrote in message
> news:7c2a12e20907231051s638dd2f9v399ac2a79e185...@mail.gmail.com...
> > On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling
> > wrote:
> >> To help in the "proving trustworthy, or else" process, I have released
> >> the source code of Watchlistr - please take a look at it. You will see
> >> that I take the utmost care in securing user information. The wiki
> >> logins are encrypted with AES in our database. The key used to encrypt
> >> each user's login list is their site username, which is stored as a
> >> SHA1 hash in our database. If a cracker were to, somehow, gain access
> >> to the database, they would be left with a pile of garbage.
> >
> > They would only have to get the site usernames to decrypt the login
> > info.  They could get those the next time each user logs in, if
> > they're not detected immediately.  There's no way around this; if your
> > program can log in as the users, so can an attacker who's able to
> > subvert your program.
>
> Or, since the set of registered Wikimedia users is both vastly smaller than
> the superset of all possible usernames (remember it's restricted to users
> with a global login AFAICT), and readily accessible through a
> high-throughput API, a brute-force attack would be, if not trivial,
> certainly extremely feasible.
> >
> >> As for the other solutions that were presented - I was really trying
> >> to create a cross-platform, cross-browser solution that would not
> >> hinge on one particular technology. Javascript would be great, but
> >> what if someone doesn't have JS enabled? OAuth and a read-only API
> >> would be close-to-ideal, but they currently don't work with/don't
> >> exist on the Wikimedia servers. I am, however, open to other workable
> >> solutions that are presented - let me know.
> >
> > I would suggest you apply for a toolserver account:
> >
> > https://wiki.toolserver.org/view/Account_approval_process
> >
> > Once you have a toolserver account, I'd be willing to work with you to
> > arrange for some form of direct access to all wikis' watchlist tables
> > (I'm a toolserver root).  You then wouldn't need to possess any login
> > info.
>
> This looks like a *much* more acceptable system.  Although how would you
> authenticate without collecting proscribed data...?


Let the user prove account ownership by a talk page edit. This was the way
Interiot used in his old edit counter... (is this one still active?)

Marco


-- 
VMSoft GbR
Nabburger Str. 15
81737 München
Geschäftsführer: Marco Schuster, Volker Hemmert
http://vmsoft-gbr.de
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Happy-melon]

"Aryeh Gregor"  wrote in message 
news:7c2a12e20907231051s638dd2f9v399ac2a79e185...@mail.gmail.com...
> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling 
> wrote:
>> To help in the "proving trustworthy, or else" process, I have released
>> the source code of Watchlistr - please take a look at it. You will see
>> that I take the utmost care in securing user information. The wiki
>> logins are encrypted with AES in our database. The key used to encrypt
>> each user's login list is their site username, which is stored as a
>> SHA1 hash in our database. If a cracker were to, somehow, gain access
>> to the database, they would be left with a pile of garbage.
>
> They would only have to get the site usernames to decrypt the login
> info.  They could get those the next time each user logs in, if
> they're not detected immediately.  There's no way around this; if your
> program can log in as the users, so can an attacker who's able to
> subvert your program.

Or, since the set of registered Wikimedia users is both vastly smaller than 
the superset of all possible usernames (remember it's restricted to users 
with a global login AFAICT), and readily accessible through a 
high-throughput API, a brute-force attack would be, if not trivial, 
certainly extremely feasible.
>
>> As for the other solutions that were presented - I was really trying
>> to create a cross-platform, cross-browser solution that would not
>> hinge on one particular technology. Javascript would be great, but
>> what if someone doesn't have JS enabled? OAuth and a read-only API
>> would be close-to-ideal, but they currently don't work with/don't
>> exist on the Wikimedia servers. I am, however, open to other workable
>> solutions that are presented - let me know.
>
> I would suggest you apply for a toolserver account:
>
> https://wiki.toolserver.org/view/Account_approval_process
>
> Once you have a toolserver account, I'd be willing to work with you to
> arrange for some form of direct access to all wikis' watchlist tables
> (I'm a toolserver root).  You then wouldn't need to possess any login
> info.

This looks like a *much* more acceptable system.  Although how would you 
authenticate without collecting proscribed data...?

--HM 



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Cody Jung]

> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling 
wikimedia.org> wrote:
> 
> They would only have to get the site usernames to decrypt the login
> info.  They could get those the next time each user logs in, if
> they're not detected immediately.  There's no way around this; if your
> program can log in as the users, so can an attacker who's able to
> subvert your program.

Wouldn't adding a salt fix this? They would have to have both the 
username, the database, and the salt value to decrypt the wiki list.

> 
> I would suggest you apply for a toolserver account:
> 
> https://wiki.toolserver.org/view/Account_approval_process
> 
> Once you have a toolserver account, I'd be willing to work with you to
> arrange for some form of direct access to all wikis' watchlist tables
> (I'm a toolserver root).  You then wouldn't need to possess any login
> info.
> 

I attempted to apply for a toolserver account, but it appears that the 
server at http://toolserver.org/accountrequest is down (as of 1:27pm CDT).

~Cody



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Aryeh Gregor]

On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling wrote:
> To help in the "proving trustworthy, or else" process, I have released
> the source code of Watchlistr - please take a look at it. You will see
> that I take the utmost care in securing user information. The wiki
> logins are encrypted with AES in our database. The key used to encrypt
> each user's login list is their site username, which is stored as a
> SHA1 hash in our database. If a cracker were to, somehow, gain access
> to the database, they would be left with a pile of garbage.

They would only have to get the site usernames to decrypt the login
info.  They could get those the next time each user logs in, if
they're not detected immediately.  There's no way around this; if your
program can log in as the users, so can an attacker who's able to
subvert your program.

> As for the other solutions that were presented - I was really trying
> to create a cross-platform, cross-browser solution that would not
> hinge on one particular technology. Javascript would be great, but
> what if someone doesn't have JS enabled? OAuth and a read-only API
> would be close-to-ideal, but they currently don't work with/don't
> exist on the Wikimedia servers. I am, however, open to other workable
> solutions that are presented - let me know.

I would suggest you apply for a toolserver account:

https://wiki.toolserver.org/view/Account_approval_process

Once you have a toolserver account, I'd be willing to work with you to
arrange for some form of direct access to all wikis' watchlist tables
(I'm a toolserver root).  You then wouldn't need to possess any login
info.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Tim Starling]

Message from the developer. I will see if he's interested in
subscribing, but a forward will do for now.

 Original Message 
Subject: Re: Watchlistr
Date: Thu, 23 Jul 2009 11:20:19 -0500
From: Cody Jung 
To: Tim Starling 

Hey there Tim,
Apologies, I am not actually sure how to post to a mailing list; if
you would, could you post this for me?


I completely understand the hesitation (and, indeed, the outright
repulsion) to my application. Although I am confident in the security
of Watchlistr, I realize that, out of the blue, it seems very
suspicious. When I saw the post by MrZaius on the Wikipedia Bounty
Board I thought to myself "Why hasn't anyone done this before? It
seems really easy to implement!"

Now I see why.

Therefore, I would like to address several points brought up by the
Wikitech-l mailing list users. I will start at the top of the thread
and work down, address various comments as I go.

To Sage Ross:
Although I have very little editing experience, as far as the
Wikimedia projects go, anyway, when I saw the request for a transwiki
watchlist tool, I thought "this is how I can help improve Wikipedia.
This is something I _know_ how to do, and well." I want to assure
everyone that my intentions were good (if not a little misguided), and
I have no intention of phishing for anyone's accounts.

To Michael Rosenthal:
I have looked at gWatch, but the fundamental issue I see with it is
the fact that you have to "watch" something twice -- you must manually
enter pages to watch, and that just seems a little silly.

To Gregory Maxwell and Aryeh Gregor:
Until such time as my application can be a) proven trustworthy, or b)
improved to *not* use passwords, I have removed all user accounts (all
4 of them...), and frozen registrations. I do, however, ask that you
_please_ do not block the the IP addresses at the server level. I am
on a shared hosting solution, and doing that could very well create
issues with other users with my host.

To help in the "proving trustworthy, or else" process, I have released
the source code of Watchlistr - please take a look at it. You will see
that I take the utmost care in securing user information. The wiki
logins are encrypted with AES in our database. The key used to encrypt
each user's login list is their site username, which is stored as a
SHA1 hash in our database. If a cracker were to, somehow, gain access
to the database, they would be left with a pile of garbage.

Here's how the site works:

User logs in -> Their username is hashed and checked against the
database, if it matches -> we make a session with that username as a
variable in it for later access.
When the user accesses their aggregate watchlist for the first time
each session, we take the username, decrypt the wiki list, and log
them in to their sites. The cURL cookies that result are then stored
above the web server, in a protected directory. The passwords do not
get used for the rest of the session (the stored cookies are used
instead).
When the user logs out, the session is destroyed and the cURL
cookiejar is deleted.

As for the other solutions that were presented - I was really trying
to create a cross-platform, cross-browser solution that would not
hinge on one particular technology. Javascript would be great, but
what if someone doesn't have JS enabled? OAuth and a read-only API
would be close-to-ideal, but they currently don't work with/don't
exist on the Wikimedia servers. I am, however, open to other workable
solutions that are presented - let me know.

Apologies once again for the uproar I have caused,
Cody Jung
Developer, Watchlistr


On Wed, Jul 22, 2009 at 10:48 PM, Tim
Starling wrote:
> Please comment on the wikitech-l discussion about whether or not to
> block watchlistr.com from Wikimedia servers:
>
> http://lists.wikimedia.org/pipermail/wikitech-l/2009-July/044238.html
>


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[John Vandenberg]

On Thu, Jul 23, 2009 at 9:57 AM, Aryeh
Gregor wrote:
> On Wed, Jul 22, 2009 at 10:40 PM, Happy-melon wrote:
>> I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100%
>> sure how GM script distribution works, but can't a server put files in a
>> particular directory to have them be automatically suggested for
>> installation by Greasemonkey?

Greasemonkey will try and install any file which ends in .js and
includes a few special words.

Where is this script?  I couldnt find it on userscripts.org or here:

http://en.wikipedia.org/wiki/Wikipedia:Tools/Greasemonkey_user_scripts

> Greasemonkey is far from ideal.  It only works on the computer you
> install it on, and only works for Firefox users.

That depends on how complex the script is; it could be turned into a
bookmarklet, and many other browsers support user-scripts.

http://en.wikipedia.org/wiki/Greasemonkey

--
John Vandenberg

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Aryeh Gregor]

On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lane wrote:
> Check out how the Flickr API works. Users can give web and desktop
> apps privileges (read/write/delete).
>
> It isn't really that bizarre of a concept.

Read/write/delete access to what?  The only cases where read access
would be relevant would be what, watchlist and preferences, pretty
much?  I don't think we'd want this for editing, or admin-only stuff
like viewing deleted pages.  Preferences probably don't have a serious
use-case, and if we're only left with watchlists, special-casing is
the way to go.

On Thu, Jul 23, 2009 at 1:18 AM, Brianna
Laugher wrote:
> I was thinking that the only private data you can really access via
> the API is watchlist, so it's barely worth it, but then I thought that
> for 3rd party apps using the write API, you would definitely want to
> have an option for a user to use their existing Wiki*edia accounts

It may not be able to take over their accounts, but it could still
edit pages as them, which amounts to the same thing for many practical
purposes.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Brianna Laugher]

2009/7/23 Ryan Lane :
> On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwell wrote:
>> On Wed, Jul 22, 2009 at 4:41 PM, Gerard
>> Meijssen wrote:
>>> Hoi,
>>> Would OpenID make a difference ? It seems to me that when you authenticate
>>> to both WMF projects and to this watchlistr, you would not expose passwords
>>> in the wrong place. It seems to be also a solution of allowing Commons to
>>> authenticate in this way.
>>
>> No, not really.
>>
>> In this case the site wants your credentials so that it can scrape
>> your watchlists.
>>
>> If it has your credentials it can impersonate you, which is bad.
>>
>> It addressed by making it possible for the site to generate access
>> cookies for particular resources which you could share.  I.e.
>> "generate a code that gives someone read only access to my watchlist".
>>
>
> What about OpenID + OAuth?

I think OAuth could be the way to go. (I had it explained to me as: a
way to let 3rd party apps access an service's API on your behalf,
without handing over your password of that service to the 3rd
parties.)

I was thinking that the only private data you can really access via
the API is watchlist, so it's barely worth it, but then I thought that
for 3rd party apps using the write API, you would definitely want to
have an option for a user to use their existing Wiki*edia accounts

cheers
Brianna

-- 
They've just been waiting in a mountain for the right moment:
http://modernthings.org/

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Ryan Lane]

On Wed, Jul 22, 2009 at 7:30 PM, Aryeh
Gregor wrote:
> On Thu, Jul 23, 2009 at 12:11 AM, Ryan Lane wrote:
>> What about OpenID + OAuth?
>
> With MediaWiki support, there would be any number of ways to do it.
> Most obvious would be to just have a preference checkbox somewhere
> that would create a secret magic URL that would allow unauthenticated
> access to your watchlist.  That's the main way that's been put forward
> to allow RSS feeds for watchlists.
>
>> Neither the OpenID plugin, or MediaWiki really support RBAC in a way
>> that would make this work, but it is definitely possible.
>
> I'm not sure what "RBAC" means here.  We sure do have RBAC for user
> accounts -- $wgGroupPermissions does that just fine.  We don't
> generically permit users to set up discretionary access control lists
> to delegate all their privileges, however.  That would be . . . kind
> of bizarre.
>

Check out how the Flickr API works. Users can give web and desktop
apps privileges (read/write/delete).

It isn't really that bizarre of a concept.

V/r,

Ryan Lane

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Aryeh Gregor]

On Thu, Jul 23, 2009 at 12:11 AM, Ryan Lane wrote:
> What about OpenID + OAuth?

With MediaWiki support, there would be any number of ways to do it.
Most obvious would be to just have a preference checkbox somewhere
that would create a secret magic URL that would allow unauthenticated
access to your watchlist.  That's the main way that's been put forward
to allow RSS feeds for watchlists.

> Neither the OpenID plugin, or MediaWiki really support RBAC in a way
> that would make this work, but it is definitely possible.

I'm not sure what "RBAC" means here.  We sure do have RBAC for user
accounts -- $wgGroupPermissions does that just fine.  We don't
generically permit users to set up discretionary access control lists
to delegate all their privileges, however.  That would be . . . kind
of bizarre.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Ryan Lane]

On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwell wrote:
> On Wed, Jul 22, 2009 at 4:41 PM, Gerard
> Meijssen wrote:
>> Hoi,
>> Would OpenID make a difference ? It seems to me that when you authenticate
>> to both WMF projects and to this watchlistr, you would not expose passwords
>> in the wrong place. It seems to be also a solution of allowing Commons to
>> authenticate in this way.
>
> No, not really.
>
> In this case the site wants your credentials so that it can scrape
> your watchlists.
>
> If it has your credentials it can impersonate you, which is bad.
>
> It addressed by making it possible for the site to generate access
> cookies for particular resources which you could share.  I.e.
> "generate a code that gives someone read only access to my watchlist".
>

What about OpenID + OAuth?

Neither the OpenID plugin, or MediaWiki really support RBAC in a way
that would make this work, but it is definitely possible.

V/r,

Ryan Lane

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Aryeh Gregor]

On Wed, Jul 22, 2009 at 7:07 PM, Sage Ross wrote:
> I'm not sure what to do about this; it seems like a good idea but a
> major security risk:
>
> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool

I think the thing to do about it is block it at the firewall and tell
the user to immediately delete all the data they gathered and never do
anything like it again.  We aren't even just talking about malice
here, if someone else compromises the server they could get access to
a whole bunch of admin accounts if it becomes popular.

The proper way to handle this would either be some form or other of
software support, or use a toolserver tool with direct database
access.

On Wed, Jul 22, 2009 at 7:59 PM, David Gerard wrote:
> Would something on the toolserver be safe enough in these terms?

Toolserver projects are forbidden from asking users for login info.
However, the watchlist tables are replicated to the toolserver, just
not made available to unprivileged users.  If a user wanted to make a
script like this, it would be simple to give special access to the
tables to allow it (possibly restricted in such a fashion that the
script author didn't get access, only his vetted code).  The tool
could deal with authentication by, e.g., giving the user an
autogenerated URL and a confirmation code to add to a magic user
subpage (it could check what user created the page).

On Wed, Jul 22, 2009 at 10:40 PM, Happy-melon wrote:
> I have a Greasemonkey script that does this, IMO, very nicely.  I'm not 100%
> sure how GM script distribution works, but can't a server put files in a
> particular directory to have them be automatically suggested for
> installation by Greasemonkey?

Greasemonkey is far from ideal.  It only works on the computer you
install it on, and only works for Firefox users.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Happy-melon]

I have a Greasemonkey script that does this, IMO, very nicely.  I'm not 100% 
sure how GM script distribution works, but can't a server put files in a 
particular directory to have them be automatically suggested for 
installation by Greasemonkey?

I know it's not a perfect or even nice solution, but it might help reduce 
the incentive for this sort of thing.  "Well, you *could* give your login 
credentials to this unafiliated unknown site, or you could just install this 
WMF-endorsed script on your open source Firefox extension..." isn't a very 
difficult decision...

--HM

"Sage Ross"  wrote in message 
news:40c6a93a0907221207l9ab78fcy20635588c5671...@mail.gmail.com...
> I'm not sure what to do about this; it seems like a good idea but a
> major security risk:
>
> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
>
> The user who made it has very little editing history, and the site
> aggregates watchlists across multiple projects, but requires inputting
> your Wikimedia password into the watchlistr.com site.  I have no
> specific reason to think it's a scam, but if I was trying to phish
> passwords I would do something like this.
>
> -Sage Ross (User:Ragesoss) 



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Gregory Maxwell]

On Wed, Jul 22, 2009 at 4:41 PM, Gerard
Meijssen wrote:
> Hoi,
> Would OpenID make a difference ? It seems to me that when you authenticate
> to both WMF projects and to this watchlistr, you would not expose passwords
> in the wrong place. It seems to be also a solution of allowing Commons to
> authenticate in this way.

No, not really.

In this case the site wants your credentials so that it can scrape
your watchlists.

If it has your credentials it can impersonate you, which is bad.

It addressed by making it possible for the site to generate access
cookies for particular resources which you could share.  I.e.
"generate a code that gives someone read only access to my watchlist".

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Gerard Meijssen]

Hoi,
Would OpenID make a difference ? It seems to me that when you authenticate
to both WMF projects and to this watchlistr, you would not expose passwords
in the wrong place. It seems to be also a solution of allowing Commons to
authenticate in this way.
Thanks,
  GerardM

2009/7/22 Sage Ross

>

> I'm not sure what to do about this; it seems like a good idea but a
> major security risk:
>
> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
>
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
>
> The user who made it has very little editing history, and the site
> aggregates watchlists across multiple projects, but requires inputting
> your Wikimedia password into the watchlistr.com site.  I have no
> specific reason to think it's a scam, but if I was trying to phish
> passwords I would do something like this.
>
> -Sage Ross (User:Ragesoss)
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Gregory Maxwell]

On Wed, Jul 22, 2009 at 4:18 PM, David Gerard wrote:
> Mmm. So solving this properly would require solving many of the
> various consolidated/multiple watchlist bugs in MediaWiki itself,
> then.

Hm? No. Solving *this* involves having a sysadmin determine the source
of IP of the remote logins and scrambling the password of every
account which has logged in through it.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[David Gerard]

2009/7/22 Michael Rosenthal :
> On Wed, Jul 22, 2009 at 9:59 PM, David Gerard wrote:
>> 2009/7/22 Sage Ross :

>>> http://www.watchlistr.com/ is a site that creates aggregate watchlists
>>> across multiple projects. See
>>> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
>>> The user who made it has very little editing history, and the site
>>> aggregates watchlists across multiple projects, but requires inputting
>>> your Wikimedia password into the watchlistr.com site.  I have no
>>> specific reason to think it's a scam, but if I was trying to phish
>>> passwords I would do something like this.

>> Would something on the toolserver be safe enough in these terms?

> The toolserver rules forbid that:
> https://wiki.toolserver.org/view/Rules (#8)
> However there is gWatch which works without authentication:
> http://toolserver.org/~luxo/gwatch/login.php


Mmm. So solving this properly would require solving many of the
various consolidated/multiple watchlist bugs in MediaWiki itself,
then.


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Daniel Schwen]

>> your Wikimedia password into the watchlistr.com site.  I have no
>> specific reason to think it's a scam, but if I was trying to phish
>> passwords I would do something like this.
> Would something on the toolserver be safe enough in these terms?

It would seem more trustworthy, but if i recall correctly it is
explicity forbidden to ask for user passwords on the toolserver.
(Which is why Magnus jumped through hoops the create his TUSC thingie)

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[Michael Rosenthal]

The toolserver rules forbid that:
https://wiki.toolserver.org/view/Rules (#8)

However there is gWatch which works without authentication:
http://toolserver.org/~luxo/gwatch/login.php



On Wed, Jul 22, 2009 at 9:59 PM, David Gerard wrote:
> 2009/7/22 Sage Ross :
>
>> http://www.watchlistr.com/ is a site that creates aggregate watchlists
>> across multiple projects. See
>> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
>> The user who made it has very little editing history, and the site
>> aggregates watchlists across multiple projects, but requires inputting
>> your Wikimedia password into the watchlistr.com site.  I have no
>> specific reason to think it's a scam, but if I was trying to phish
>> passwords I would do something like this.
>
>
> Would something on the toolserver be safe enough in these terms?
>
>
> - d.
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords

[David Gerard]

2009/7/22 Sage Ross :

> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
> The user who made it has very little editing history, and the site
> aggregates watchlists across multiple projects, but requires inputting
> your Wikimedia password into the watchlistr.com site.  I have no
> specific reason to think it's a scam, but if I was trying to phish
> passwords I would do something like this.


Would something on the toolserver be safe enough in these terms?


- d.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l