Last night someone hacked the password of one of the French Wikipedia
sysops, Youssefsan. (Using IP 217.144.0.5, possibly a proxy?) They don't
appear to have done anything terribly devastating; blanked a few pages
and banned a couple IPs (since restored).
However, under the system that has been in place, it would be trivial
for any sysop to retrieve another user's password hash and use it to log
in by hand-setting the stored password cookie. (Indeed, there is some
concern that one of the other fr users who is a sysop there may be the
troublemaker.)
** Anyone with an account on the French Wikipedia, I recommend you
change your password just in case this guy snagged more. **
I've changed the sysop's SQL query to use a separate mysql user account
which has read-only access and isn't allowed to read the email and
password fields of the user table, which should close the 'malicious
sysop' hole. (However, developers still have full access.)
-- brion vibber (brion @ pobox.com)
sysops, Youssefsan. (Using IP 217.144.0.5, possibly a proxy?) They don't
appear to have done anything terribly devastating; blanked a few pages
and banned a couple IPs (since restored).
However, under the system that has been in place, it would be trivial
for any sysop to retrieve another user's password hash and use it to log
in by hand-setting the stored password cookie. (Indeed, there is some
concern that one of the other fr users who is a sysop there may be the
troublemaker.)
** Anyone with an account on the French Wikipedia, I recommend you
change your password just in case this guy snagged more. **
I've changed the sysop's SQL query to use a separate mysql user account
which has read-only access and isn't allowed to read the email and
password fields of the user table, which should close the 'malicious
sysop' hole. (However, developers still have full access.)
-- brion vibber (brion @ pobox.com)