Page MenuHomePhabricator
Create Task
Maniphest T262320

Editing unregistered at wiki.pt does not generate any kind of warning about ones IP being revealed
Closed, InvalidPublicBUG REPORT
Actions

Description

Steps to Reproduce:
Edit unregistered on the Wikipedia app
Edit unregistered using Visual Editor in desktop mode (in a laptop, using the Private Window feature of Firefox)
Edit unregistered using Visual Editor in mobile mode (my personal mobile phone)

Using the code editor while unregistered do shows a warning, though it should be a lot more intrusive than it is, due to the danger associated with that action.

All in the Wikipedia in Portuguese, using Firefox (laptop) and Chrome (mobile).

Actual Results:
In all cases I edited without any kind of warning or at least a mere information telling me my IP was being revealed to the world.
I consider this to be a very severe security flaw, which can be related with reported situations where people has been persecuted at work and on justice in Brazil for doing controversial editions unregistered using their workplace network at Wikipedia in Portuguese.

No idea if I need to add any screenshot, since this is something that do not appear. If any is useful, please tell me. I already posted some from the app at our Telegram wiki.pt group to show what was happening a couple of days ago, but they do not show nothing special, there simply is no warning at all there.

Expected Results:
A very visible warning saying that the editor is about to reveal their IP to the world if they edit, and some kind of sound warning about the danger it can represent to them.

Event Timeline

Darwinius created this task.Sep 8 2020, 8:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 8 2020, 8:00 PM
Reedy subscribed.EditedSep 8 2020, 8:02 PM

Edit unregistered using Visual Editor in desktop mode (in a laptop, using the Private Window feature of Firefox)

Screenshot 2020-09-08 at 21.01.22.png (1×2 px, 605 KB)

seems to be the same as

Screenshot 2020-09-08 at 21.03.54.png (946×2 px, 297 KB)

Ladsgroup subscribed.Sep 8 2020, 8:06 PM

I consider this to be a very severe security flaw, which can be related with reported situations where people has been persecuted at work and on justice in Brazil for doing controversial editions unregistered using their workplace network at Wikipedia in Portuguese.

You can improve wording in https://pt.wikipedia.org/wiki/MediaWiki:Anoneditwarning to emphasize on issues that revealing IPs might arise to non-technical people. I did the same in Persian Wikipedia after 2009 protests and it helped.

Darwinius added a comment.EditedSep 8 2020, 8:24 PM
In T262320#6444274, @Reedy wrote:

Edit unregistered using Visual Editor in desktop mode (in a laptop, using the Private Window feature of Firefox)

Screenshot 2020-09-08 at 21.01.22.png (1×2 px, 605 KB)

seems to be the same as

Screenshot 2020-09-08 at 21.03.54.png (946×2 px, 297 KB)

I see. I don't recall at all seeing that warning when I tested, probably because I was focused on the edition itself, so I probably simply dismissed it. When I saved the edition, which is what really counts, no warning appeared, at all. Now that you've shown where and when it appears, I've repeated the action, and I've seen it. I believe the warning should not be displayed before editing, but before saving, which is what really counts.

I've also returned to mobile, and as always, I saw a very striking blue button asking me if I wanted to edit without creating an account. Bellow it there are two grey, discrete buttons saying "Entrar" and "Registar". And now, finally, I noticed that above it is written, in a very discrete grey box which has passed undetected to me, the information that MY IP would be recorded on History. If I simply press the striking blue button and edit, no further information or warning is shown. Again, the warning should not before editing, but before saving, as that is what really counts. I can't post here a screenshot of this because for some reason the mobile phone do not allow it on that page.

As for the Wikipedia app, nothing appears at all, at least that I can find. All that appears before editing is this:

imagem.png (1×606 px, 404 KB)

Then a textbox with wikicode appears, I edit, save, that's it. No warning at all.

There is also not any kind of warning or information that choosing "editar descrição do artigo"means the edition is made on Wikidata. This has been confusing newbies who use the app to edit, as well as the seasoned users they reach out asking for help. A few days ago, a newbie reached out to more than 160 users on the pt.wiki Telegram group asking what should he write for the resume of Wikipedia articles. Nobody knew what he was talking about, until I've downloaded the app myself, experimented it, and found out what he meant was not related to Wikipedia at all, but to Wikidata. Things should not be implemented like this.

Paulo

Reedy added a project: VisualEditor.Sep 8 2020, 8:32 PM
In T262320#6444340, @Darwinius wrote:

I believe the warning should not be displayed before editing, but before saving, which is what really counts.

That might be an addition to be made. IMHO, I don't see anything wrong with the notification being there (as well) before actually making any changes. It saves people making the edits, then the edit being discarded when they don't want to save the changes and have their IP exposed.

Darwinius added a comment.Sep 8 2020, 8:34 PM
In T262320#6444369, @Reedy wrote:
In T262320#6444340, @Darwinius wrote:

I believe the warning should not be displayed before editing, but before saving, which is what really counts.

That might be an addition to be made. IMHO, I don't see anything wrong with the notification being there (as well) before actually making any changes. It saves people making the edits, then the edit being discarded when they don't want to save the changes and have their IP exposed.

I agree, it is even better if it is shown both before editing, and at the moment the person saves their editions unregistered (and this time, much more strikingly).

At the Wikipedia app, however, I could not find that information in any place, at all. If it is there, it's very hidden.

Darwinius added a comment.Sep 27 2020, 12:00 PM

I just tried again yesterday, and confirmed again that while editing what teh app wrongly calls "article description" - in fact, the Wikidata description - there is not any information anywhere stating that your IP is going to be revealed. I consider this a security problem of some severity.

Aklapper closed this task as Invalid.Feb 19 2021, 9:00 AM
Aklapper added a project: Privacy Engineering.

I don't see anything actionable in this task when it comes to VisualEditor, as information is displayed. Thus closing.
(Wikipedia App issues already have their dedicated task.)

JFishback_WMF removed a project: Privacy Engineering.May 25 2021, 2:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits