https://bugzilla.wikimedia.org/show_bug.cgi?id=67995
--- Comment #6 from Bryan Davis <bda...@wikimedia.org> --- (In reply to Chris Steipp from comment #5) > On a separate note, I wanted to document that this feature has slight > security implications. Since we're automatically changing the username on > login, there's a small (nearly impossible, but not entirely) chance we'll > change it to the wrong username, if two users have the same password. This > would be the same if pre-finalization, a local user came to a wiki and > "accidentally" logged into another person's account who happened to have the > same username and password. > > Highly unlikely to have any real impact, but wanted to bring it up in case > it bothers anyone. I think I pointed that out somewhere, but maybe it was only as discussion in a meeting. It is a fairly small new hole as the two users that are being confused must be USER and USER~wiki. Meaning the USER~wiki account is now exposed to brute force attacks on the USER account's password. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
