Last modified: 2009-05-31 11:35:02 UTC
This is a security risk for old (not used for now) administrator accounts! An attack schema on an not global account called "nnn" on the wiki "iii": 1) I create an account called "nnn" at several wikis 2) I convert an account "nnn" to global account 3) I tries to join the "nnn" in the wiki "iii" to my global account - no restrictions on the number of unsuccessful attempts, no captcha
I'm sure this is a dupe. Regardless, it's not a significant attack vector against admin accounts, because the home wiki, which has control of the global account, is decided mainly dependent on local userrights. So the admin account on iiwiki will ensure that iiwiki is the home-wiki for User:nnn's global account. So it will not be possible to unify the account on another project except by gaining *higher* permissions on that project. At which point, we have a malicious admin account on xxwiki *anyway*, making the issue rather moot.