Use token when logging out
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	liangent
	Apr 18 2010, 4:32 AM

Description

Including Special:Userlogout and api.php?action=logout

Details

Reference: bz23227

Subject	Repo	Branch	Lines +/-
ApiLogout: Follow up Icb674095	mediawiki/core	REL1_27	+36 -12
[SECURITY] [API BREAKING CHANGE] Require logout token.	mediawiki/core	REL1_27	+102 -9
Turn logout link into a POST API call with refresh	mediawiki/core	master	+33 -0
ApiLogout: Follow up Icb674095	mediawiki/core	REL1_27	+4 -0
[SECURITY] [API BREAKING CHANGE] Require logout token.	mediawiki/core	REL1_27	+47 -9
ApiLogout: Follow up Icb674095	mediawiki/core	master	+36 -12
ApiLogout: Follow up Icb674095	mediawiki/core	REL1_33	+36 -12
[SECURITY] [API BREAKING CHANGE] Require logout token.	mediawiki/core	REL1_33	+102 -9
ApiLogout: Follow up Icb674095	mediawiki/core	REL1_31	+36 -12
[SECURITY] [API BREAKING CHANGE] Require logout token.	mediawiki/core	REL1_31	+102 -9
ApiLogout: Follow up Icb674095	mediawiki/core	REL1_32	+36 -12
[SECURITY] [API BREAKING CHANGE] Require logout token.	mediawiki/core	REL1_32	+102 -9
ApiLogout: Follow up Icb674095	mediawiki/core	REL1_30	+36 -12
[SECURITY] [API BREAKING CHANGE] Require logout token.	mediawiki/core	REL1_30	+104 -9
[SECURITY] [API BREAKING CHANGE] Require logout token.	mediawiki/core	master	+102 -9

Related Objects
Search...

Status	Assigned	Task
Stalled	None	T302086 Set scap minimum python version to 3.7
Resolved	None	T247045 Migrate all of production metal and VMs to Buster or later
Resolved	akosiaris	T249724 Track and remove jessie based container images from production
Resolved	Jdforrester-WMF	T224908 Drop jessie testing support
Resolved	Jdforrester-WMF	T224907 Drop php55 testing support
Resolved	Reedy	T205039 Release MediaWiki 1.27.6/1.30.2/1.31.2/1.32.2
Resolved	Reedy	T205041 Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release
Resolved	None	T14884 Login and account creation should be by secure http.
Invalid	None	T11816 Improve security for Special:Userlogin (tracking)
Resolved	sbassett	T25227 Use token when logging out
Resolved	sbassett	T221868 Send out wikitech-l post for T25227 ("Use token when logging out")

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

In T25227#2068086, @Anomie wrote:

Well, it will break anything that's actually using API action=logout in such a way that the user won't be logged out. And might not even be doing error checking on that. We should probably look how many "anythings" actually use it before merging. @bd808 might be able to give us some numbers.

@Ladsgroup I guess the question is how we address this. At this point, we need to be looking at stats again, and we definitely need to get some announcements written up and publicised before

Reedy removed a project: Security-General.Jan 23 2019, 11:54 AM

Reedy updated the task description. (Show Details)

Reedy removed a subscriber: • RobLa-WMF.

In T25227#4901889, @Reedy wrote:

In T25227#2068086, @Anomie wrote:

Well, it will break anything that's actually using API action=logout in such a way that the user won't be logged out. And might not even be doing error checking on that. We should probably look how many "anythings" actually use it before merging. @bd808 might be able to give us some numbers.

@Ladsgroup I guess the question is how we address this. At this point, we need to be looking at stats again, and we definitely need to get some announcements written up and publicised before

I can make the patches ready for common libraries like pywikibot and mwapi (if it uses logout) and push it once it's deployed.

And @Bawolff's patch will need a rebase as it's nearly 3 years old at this point

In T25227#4901889, @Reedy wrote:

At this point, we need to be looking at stats again

Much easier now that https://wikitech.wikimedia.org/wiki/Analytics/Data_Lake/Traffic/ApiAction exists.

Looking at January 2019, usage patterns seem largely unchanged. With the Data Lake I can see agents too, which allows for a bit more in-depth analysis.

87301 are hits to zerowiki from WMF IPs.
12054 come from one Toolforge exec node with one agent (belonging to a 3-year-deprecated library).
1572 hits come from various IPs with agents like "Wikipedia/#.#.# (iSomething; iOS #.#.#; Scale/#.00)", for example "Wikipedia/6.1.4 (iPhone; iOS 12.1.2; Scale/3.00)".
1108 and 558 of the hits from from two unrelated-looking IPs, each with its own library-like agent. No idea if these are the same IPs as in T25227#2081647.
302, 177, and 73 hits come from various Toolforge IPs with agents that identify specific tools or users.
125 hits from various external IPs with an agent matching the name of a plugin for a particular app.
123 hits from one external IP with a bot-like agent.
141 hits come from a pair of external IPs in a university network, with 99 different browser-like agents. Normally this would seem like a proxy, but since normal browsing doesn't usually hit API action=logout it's more likely a bot of some sort with faked agents.
The remaining 277 hits come from 131 different external IPs and 79 different agents. 29 of the agents (76 hits) begin with "Mozilla/".

There are two ways we could proceed here to make the change requested in this task with respect to the API:

Treat it as a security issue: break all those API clients immediately, as is done by F3328897.
Treat it as a normal change: allow but don't require token use in 1.33, with a deprecation warning if the token isn't used, and break the clients in 1.34.

Since this has been open for about 9 years and seems at least somewhat known already, I'm not sure #1 is the obvious choice. But I'll leave the decision to the Security team.

In T25227#4902743, @Anomie wrote:

There are two ways we could proceed here to make the change requested in this task with respect to the API:

Treat it as a security issue: break all those API clients immediately, as is done by F3328897.

Treat it as a normal change: allow but don't require token use in 1.33, with a deprecation warning if the token isn't used, and break the clients in 1.34.

Since this has been open for about 9 years and seems at least somewhat known already, I'm not sure #1 is the obvious choice. But I'll leave the decision to the Security team.

Of course the security team has the last call here but my personal preference is #1. For several reasons:

This ticket is private, it seems there is consensus that the issue should not be public.
If it's not exploited yet, it doesn't mean it's a small issue. I was telling my friends the fact that this issue is not abused yet restores my faith in humanity.
Given the #flea-attacker-mitigation we have, It seems too dangerous to leave it as it is and expose the issue. When there is someone who actively looking for issues.

(An attacker can paralyze a wiki by putting the logout URL as background image in common.css, and fixing it is almost impossible)

An attacker who can edit site CSS, would also be able to edit site JS where they could get a token to get around any fix. But I'm sure there are plenty of other disruptive ways to exploit this from less privileged positions.

Just to argue the other side for a moment: An argument could be made that if we're not sure if a user is supposed to be logged in or not, it is safer to fail in the direction of logging the user out than keeping the user logged in. Not sure if I'm convinced by that argument, but thought i should throw it out there.

Bawolff edited projects, added MediaWiki-Core-AuthManager; removed Security-General.Feb 4 2019, 9:58 AM

Legoktm merged a task: Restricted Task.Apr 14 2019, 8:18 PM

Legoktm added a subscriber: Jorm.

Reedy changed the visibility from "Custom Policy" to "Custom Policy".Apr 14 2019, 8:40 PM

Reedy changed the edit policy from "Custom Policy" to "Custom Policy".

Legoktm added a subscriber: Framawiki.Apr 14 2019, 8:42 PM

This open security issue has passed its ninth anniversary five days ago.

Folks, seriously: just fix this. Let the bots break for a day or five. You don't need community consensus. You just need the Will To Do It.

"Rebased" @Bawolff's 3+ year-old patch (T25227#2013640) on master, tested locally. Talked about this with the Security-Team today - fine with just pushing it publicly in gerrit. If there are no objections, I'll create a patch set from the attached: F28682008.

In T25227#5116776, @sbassett wrote:

"Rebased" @Bawolff's 3+ year-old patch (T25227#2013640) on master, tested locally. Talked about this with the Security-Team today - fine with just pushing it publicly in gerrit. If there are no objections, I'll create a patch set from the attached: F28682008.

Awesome! thanks. One thing in the patch, it uses the old array() system. That's my only note. Once it's in gerrit, add me as reviewer so I help (btw. Can we write tests for this?)

In T25227#5117999, @Ladsgroup wrote:

In T25227#5116776, @sbassett wrote:

"Rebased" @Bawolff's 3+ year-old patch (T25227#2013640) on master, tested locally. Talked about this with the Security-Team today - fine with just pushing it publicly in gerrit. If there are no objections, I'll create a patch set from the attached: F28682008.

Awesome! thanks. One thing in the patch, it uses the old array() system. That's my only note. Once it's in gerrit, add me as reviewer so I help (btw. Can we write tests for this?)

Old array would probably fail phpcs, so NBD

Feel free to write tests :)

Er, I think I fixed the array() => [] issues in F28682008. Anyhow, I'll plan to make this task public today, push a patch set up to gerrit and work on some tests.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 17 2019, 2:23 PM

sbassett removed subscribers: Parent5446, • csteipp.

Change 504565 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/core@master] [PATCH] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/504565

Fomafix mentioned this in T63115: Remove 'setlang' query parameter feature from ULS.Apr 18 2019, 5:07 PM

Change 504565 merged by jenkins-bot:
[mediawiki/core@master] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/504565

Change 506386 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/core@master] Turn logout link into a POST API call with refresh

https://gerrit.wikimedia.org/r/506386

Ladsgroup mentioned this in T220923: URL Shortener should not obfuscate important links.Apr 25 2019, 11:42 AM

Ladsgroup added a project: User-notice.Apr 25 2019, 11:45 AM

So will this be in production before or after Tech News goes out on Monday?

Wikimedia wikis now use a token when you log out. This changes how the API works. Some tools might need to be updated. LINK

Something like that?

In T25227#5137291, @Johan wrote:

So will this be in production before or after Tech News goes out on Monday?

After

Wikimedia wikis now use a token when you log out. This changes how the API works. Some tools might need to be updated. LINK

Something like that?

Sounds good to me. There might be another change that will go live and affects how users log out but it's too soon for that.

Added to https://meta.wikimedia.org/wiki/Tech/News/2019/18

Will be distributed on Monday.

Johan moved this task from To Triage to In current Tech/News draft on the User-notice board.Apr 25 2019, 12:21 PM

Change 506421 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506421

Reedy mentioned this in T221856: Update logout functions in mobile apps.Apr 25 2019, 2:02 PM

Change 506429 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/core@REL1_33] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506429

Change 506430 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_33] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506430

Change 506431 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/core@REL1_32] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506431

Change 506432 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_32] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506432

Change 506433 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/core@REL1_31] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506433

Change 506434 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_31] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506434

Change 506438 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/core@REL1_30] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506438

Change 506439 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_30] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506439

Change 506438 merged by Reedy:
[mediawiki/core@REL1_30] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506438

Change 506448 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/core@REL1_27] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506448

Change 506449 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_27] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506449

Change 506439 merged by Reedy:
[mediawiki/core@REL1_30] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506439

Change 506431 merged by jenkins-bot:
[mediawiki/core@REL1_32] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506431

sbassett mentioned this in T221868: Send out wikitech-l post for T25227 ("Use token when logging out").Apr 25 2019, 3:50 PM

Change 506432 merged by jenkins-bot:
[mediawiki/core@REL1_32] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506432

Change 506433 merged by jenkins-bot:
[mediawiki/core@REL1_31] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506433

Change 506434 merged by jenkins-bot:
[mediawiki/core@REL1_31] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506434

Change 506429 merged by jenkins-bot:
[mediawiki/core@REL1_33] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506429

Change 506430 merged by jenkins-bot:
[mediawiki/core@REL1_33] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506430

Change 506421 merged by jenkins-bot:
[mediawiki/core@master] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506421

Change 506448 merged by SBassett:
[mediawiki/core@REL1_27] [SECURITY] [API BREAKING CHANGE] Require logout token.

https://gerrit.wikimedia.org/r/506448

Change 506449 merged by SBassett:
[mediawiki/core@REL1_27] ApiLogout: Follow up Icb674095

https://gerrit.wikimedia.org/r/506449

Reedy added a parent task: T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.Apr 30 2019, 3:54 PM

sbassett closed subtask T221868: Send out wikitech-l post for T25227 ("Use token when logging out") as Resolved.Apr 30 2019, 5:56 PM

Johan moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.May 2 2019, 12:03 PM

Framawiki mentioned this in T222508: action=logout needs CSRF token, since API breaking change.May 4 2019, 9:26 AM

Can this task be closed?

Kindly suggest, was security researcher who reported this vulnerability was added in HoF page?

In T25227#5157385, @Dhirajindexes wrote:

Kindly suggest, was security researcher who reported this vulnerability was added in HoF page?

The original reporter was @liangent who is a community member... Followed by 5 duplicates... You weren't the original reporter

In T25227#5157383, @Framawiki wrote:

Can this task be closed?

This patch is still open atm

In T25227#5137176, @gerritbot wrote:

Change 506386 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/core@master] Turn logout link into a POST API call with refresh

https://gerrit.wikimedia.org/r/506386

In T25227#5157476, @Reedy wrote:

This patch is still open atm

I would be very happy to move this patch to another ticket. My goal is to remove any GET request that involves token but one can argue it's not part of this ticket.

ShakespeareFan00 mentioned this in T222582: "WikiBreak_Enforcer" script on en.wp does not supply LogoutToken parameter.May 6 2019, 1:03 PM

sbassett mentioned this in T222626: Turn logout link into a POST API call with refresh.May 6 2019, 3:11 PM

@Framawiki, @Ladsgroup, @Reedy - split "Turn logout link into a POST API call with refresh" and moved here: T222626. @Ladsgroup - will let you update patch set with new bug id. Resolving this task for now.