https://bugzilla.wikimedia.org/show_bug.cgi?id=46292
Web browser: ---
Bug ID: 46292
Summary: ConfirmEdit needs to block IPs after a set number of
failed CAPTCHA attempts
Product: MediaWiki extensions
Version: master
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: ConfirmEdit (CAPTCHA extension)
Assignee: wikibugs-l@lists.wikimedia.org
Reporter: carlb...@hotmail.com
Classification: Unclassified
Mobile Platform: ---
While $wgCaptchaBadLoginAttempts appears to activate CAPTCHA after a certain
number of bad password attempts are made for an existing account, there needs
to be some means of blocking an IP for repeatedly giving random answers to the
CAPTCHA itself.
Bots routinely try to play the odds ([[bugzilla:40496]] mentions 4096
possiblities in Asirra, twelve photos with two possibilities, cat or dog,
apiece - mw:Extension:VisualMathCaptcha or other simple maths problems in their
default configurations are worse still as a random answer to a two-digit sum
will be correct 1% of the time).
If the offending IP landed on the block list (and mw:extension:GlobalBlocking
if installed) on the third failed CAPTCHA attempt, spammers would be less
tempted to try to guess their way past these systems.
There needs to be a way to detect repeated failures (such as dictionary
attacks) in much the same way as mw:extension:AbuseFilter can implement
three-strikes rules for ongoing vandalism. ([[bugzilla:34913]] raised the issue
that AbuseFilter does not have a mechanism to receive reports from other
extensions for things like repeated CAPTCHA failures, so its counters can't be
used directly here.)
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
