https://bugzilla.wikimedia.org/show_bug.cgi?id=46292

       Web browser: ---
            Bug ID: 46292
           Summary: ConfirmEdit needs to block IPs after a set number of
                    failed CAPTCHA attempts
           Product: MediaWiki extensions
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: ConfirmEdit (CAPTCHA extension)
          Assignee: wikibugs-l@lists.wikimedia.org
          Reporter: carlb...@hotmail.com
    Classification: Unclassified
   Mobile Platform: ---

While $wgCaptchaBadLoginAttempts appears to activate CAPTCHA after a certain
number of bad password attempts are made for an existing account, there needs
to be some means of blocking an IP for repeatedly giving random answers to the
CAPTCHA itself. 

Bots routinely try to play the odds ([[bugzilla:40496]] mentions 4096
possiblities in Asirra, twelve photos with two possibilities, cat or dog,
apiece - mw:Extension:VisualMathCaptcha or other simple maths problems in their
default configurations are worse still as a random answer to a two-digit sum
will be correct 1% of the time).

If the offending IP landed on the block list (and mw:extension:GlobalBlocking
if installed) on the third failed CAPTCHA attempt, spammers would be less
tempted to try to guess their way past these systems. 

There needs to be a way to detect repeated failures (such as dictionary
attacks) in much the same way as mw:extension:AbuseFilter can implement
three-strikes rules for ongoing vandalism. ([[bugzilla:34913]] raised the issue
that AbuseFilter does not have a mechanism to receive reports from other
extensions for things like repeated CAPTCHA failures, so its counters can't be
used directly here.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to