Page MenuHomePhabricator
Create Task
Maniphest T361296

CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them
Closed, ResolvedPublic2 Estimated Story PointsSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
Mar 28 2024, 8:11 PM
Tags
Referenced Files
F46746046: specialinvestigate_log_reason.png
Apr 15 2024, 10:33 AM
F44201295: T361296-01.patch
Apr 2 2024, 6:48 PM
F43689992: image.png
Mar 28 2024, 8:11 PM
F43691130: image.png
Mar 28 2024, 8:11 PM
F43691111: image.png
Mar 28 2024, 8:11 PM
F43691057: image.png
Mar 28 2024, 8:11 PM
F43690027: image.png
Mar 28 2024, 8:11 PM
Subscribers
Aklapper
Djackson-ctr
dom_walden
Dreamy_Jazz
gerritbot
GMikesell-WMF
kostajh
View All 10 Subscribers

Description

If a user with the checkuser group, but not the suppressor group, uses Special:Investigate to check an IP address which has been used by a user that has been blocked with hideuser, then the username of the hidden user will be displayed in all the tabs on the page.

For example:

The block entry with hideuser setLeak on the 'Account information' tabLeak on the 'IPs and User agents' tabLeak on the 'Timeline' tabThe contributions page for that hidden user
image.png (96×1 px, 39 KB)
image.png (168×1 px, 19 KB)
image.png (240×1 px, 47 KB)
image.png (334×1 px, 130 KB)
image.png (304×1 px, 28 KB)
Steps to reproduce
  1. Block a user with hideuser enabled using an account with the suppressor group
  2. Log into an account with just the checkuser group
  3. Open Special:Investigate and run a check on an IP address used by the account that was blocked in step 2
  4. Search for the username of the blocked user in any of the tabs presented

Details

Author Affiliation
WMF Technology Dept
SubjectRepoBranchLines +/-
SECURITY: Hide users hidden users in Special:Investigatemediawiki/extensions/CheckUserREL1_39+152 -25
SECURITY: Hide users hidden users in Special:Investigatemediawiki/extensions/CheckUserREL1_40+162 -29
SECURITY: Hide users hidden users in Special:Investigatemediawiki/extensions/CheckUserREL1_41+152 -29
SECURITY: Hide users hidden users in Special:Investigatemediawiki/extensions/CheckUsermaster+152 -29
Customize query in gerrit

Related Objects

Event Timeline

Dreamy_Jazz created this task.Mar 28 2024, 8:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2024, 8:12 PM
Dreamy_Jazz added projects: CheckUser, Trust and Safety Product Team, Vuln-Infoleak.Mar 28 2024, 8:12 PM
Dreamy_Jazz attached a referenced file: F43689992: image.png. (Show Details)
Dreamy_Jazz attached a referenced file: F43690027: image.png. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz added a project: Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)).Mar 28 2024, 8:14 PM
Dreamy_Jazz added subscribers: Tchanders, STran, kostajh.
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 2 2024, 11:39 AM
Dreamy_Jazz claimed this task.Apr 2 2024, 1:58 PM
Dreamy_Jazz set the point value for this task to 2.
sbassett mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Apr 2 2024, 5:53 PM
sbassett added a project: security-bug.Apr 2 2024, 6:02 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Apr 2 2024, 6:23 PM
sbassett added a project: SecTeam-Processed.
Dreamy_Jazz added a project: Patch-For-Review.Apr 2 2024, 6:48 PM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.

Proposed patch:

T361296-01.patch24 KBDownload

sbassett subscribed.Apr 2 2024, 10:16 PM
In T361296#9681940, @Dreamy_Jazz wrote:

Proposed patch:

T361296-01.patch24 KBDownload

All of the $userIsHidden = logic makes sense to me after a quick look. I can try to test this a bit locally this week, though if someone who works more closely with CU can give it a +2, that would likely be preferred.

Dreamy_Jazz added a comment.Apr 2 2024, 10:39 PM
In T361296#9682434, @sbassett wrote:
In T361296#9681940, @Dreamy_Jazz wrote:

Proposed patch:

T361296-01.patch24 KBDownload

All of the $userIsHidden = logic makes sense to me after a quick look. I can try to test this a bit locally this week, though if someone who works more closely with CU can give it a +2, that would likely be preferred.

I think @Tchanders may be able to do a full review as I've included this (and the other security tasks) in our current sprint.

Tchanders added a comment.Apr 3 2024, 3:07 PM

Looks good to me too: +2.

Note that it won't hide deleted log entries, but that's because Special:Investigate is still reading the old schema, so can't join on the logging table - already captured in T326866.

sbassett added a comment.Apr 3 2024, 7:07 PM

@Dreamy_Jazz - I assume you can get this deployed, but let the Security-Team know if you'd just like us to do that. Thanks.

Dreamy_Jazz moved this task from Needs Review to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 4 2024, 3:05 PM

I'll get this deployed now.

Dreamy_Jazz added a comment.Apr 4 2024, 3:23 PM

Deployed.

Dreamy_Jazz added a project: MW-1.42-notes (1.42.0-wmf.25; 2024-04-02).Apr 4 2024, 5:37 PM
Dreamy_Jazz moved this task from In Progress to Needs QA on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 4 2024, 7:23 PM
Dreamy_Jazz added a subscriber: gerritbot.
gerritbot added a comment.Apr 4 2024, 7:24 PM

Change #1016881 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide users hidden users in Special:Investigate

https://gerrit.wikimedia.org/r/1016881

Dreamy_Jazz added subscribers: Djackson-ctr, dom_walden, GMikesell-WMF.Apr 4 2024, 7:25 PM
hashar subscribed.Apr 9 2024, 8:27 AM

I have removed the patch from the deployment server since it got merged and made its way to the MediaWiki deployment train this week.

Dreamy_Jazz mentioned this in T240586: Should hidden blocks be shown in Preliminary Check?.Apr 12 2024, 9:20 AM
Dreamy_Jazz moved this task from General / Unsorted to Investigate on the CheckUser board.Apr 12 2024, 10:19 AM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Apr 15 2024, 10:33 AM

I cannot see the username of a suppressed user in the "Username" column of the "IPs & User Agents" tab nor in the place where usernames are normally displayed in the "Timeline" tab.

However, you can see the username in the log details on the "Timeline" tab, even if the associated log/revision is hidden. @Dreamy_Jazz are we implementing this elsewhere?

specialinvestigate_log_reason.png (72×959 px, 17 KB)

Test environment: local docker CheckUser 2.5 (5f204f2) 07:27, 15 April 2024.

Dreamy_Jazz added a comment.Apr 15 2024, 5:43 PM
In T361296#9712753, @dom_walden wrote:

However, you can see the username in the log details on the "Timeline" tab, even if the associated log/revision is hidden. @Dreamy_Jazz are we implementing this elsewhere?

specialinvestigate_log_reason.png (72×959 px, 17 KB)

This will be done through T326866: CVE-2024-40596: Special:Investigate can expose suppressed information for log events.

Dreamy_Jazz closed this task as Resolved.Apr 15 2024, 5:43 PM
mmartorana renamed this task from Special:Investigate exposes suppressed usernames to those who do not have the rights to see them to CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them.Jul 8 2024, 5:32 PM
hashar unsubscribed.Jul 8 2024, 9:04 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 10 2024, 8:52 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits