Page MenuHomePhabricator

CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them
Closed, ResolvedPublic2 Estimated Story PointsSecurity

Description

If a user with the checkuser group, but not the suppressor group, uses Special:Investigate to check an IP address which has been used by a user that has been blocked with hideuser, then the username of the hidden user will be displayed in all the tabs on the page.

For example:

The block entry with hideuser setLeak on the 'Account information' tabLeak on the 'IPs and User agents' tabLeak on the 'Timeline' tabThe contributions page for that hidden user
image.png (96×1 px, 39 KB)
image.png (168×1 px, 19 KB)
image.png (240×1 px, 47 KB)
image.png (334×1 px, 130 KB)
image.png (304×1 px, 28 KB)
Steps to reproduce
  1. Block a user with hideuser enabled using an account with the suppressor group
  2. Log into an account with just the checkuser group
  3. Open Special:Investigate and run a check on an IP address used by the account that was blocked in step 2
  4. Search for the username of the blocked user in any of the tabs presented

Event Timeline

Dreamy_Jazz set the point value for this task to 2.

Proposed patch:

All of the $userIsHidden = logic makes sense to me after a quick look. I can try to test this a bit locally this week, though if someone who works more closely with CU can give it a 2, that would likely be preferred.

Proposed patch:

All of the $userIsHidden = logic makes sense to me after a quick look. I can try to test this a bit locally this week, though if someone who works more closely with CU can give it a 2, that would likely be preferred.

I think @Tchanders may be able to do a full review as I've included this (and the other security tasks) in our current sprint.

Looks good to me too: 2.

Note that it won't hide deleted log entries, but that's because Special:Investigate is still reading the old schema, so can't join on the logging table - already captured in T326866.

@Dreamy_Jazz - I assume you can get this deployed, but let the Security-Team know if you'd just like us to do that. Thanks.

Change #1016881 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@REL1_39] SECURITY: Hide users hidden users in Special:Investigate

https://gerrit.wikimedia.org/r/1016881

I have removed the patch from the deployment server since it got merged and made its way to the MediaWiki deployment train this week.

I cannot see the username of a suppressed user in the "Username" column of the "IPs & User Agents" tab nor in the place where usernames are normally displayed in the "Timeline" tab.

However, you can see the username in the log details on the "Timeline" tab, even if the associated log/revision is hidden. @Dreamy_Jazz are we implementing this elsewhere?

specialinvestigate_log_reason.png (72×959 px, 17 KB)

Test environment: local docker CheckUser 2.5 (5f204f2) 07:27, 15 April 2024.

However, you can see the username in the log details on the "Timeline" tab, even if the associated log/revision is hidden. @Dreamy_Jazz are we implementing this elsewhere?

specialinvestigate_log_reason.png (72×959 px, 17 KB)

This will be done through T326866: CVE-2024-40596: Special:Investigate can expose suppressed information for log events.

mmartorana renamed this task from Special:Investigate exposes suppressed usernames to those who do not have the rights to see them to CVE-2024-40608: Special:Investigate exposes suppressed usernames to those who do not have the rights to see them.Jul 8 2024, 5:32 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 10 2024, 8:52 AM