Last modified: 2007-03-20 05:44:28 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 9171 - Wrong user's cookie
Wrong user's cookie
Product: Wikimedia
Classification: Unclassified
General/Unknown (Other open bugs)
PC Windows XP
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2007-03-05 14:46 UTC by Alf B. Meier
Modified: 2007-03-20 05:44 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Alf B. Meier 2007-03-05 14:46:58 UTC
Hi , 
Trying to log in this morning I have found that my computer wanted to log in
under an unknown name. The user's name plus his password were clearly on my log
on field. After checking my system for viruses and similar I found a Cookie from
Wikipedia that contained somebody else's data and password and, sorry to say,
was so amateurish encoded that it took me less than a minute to see the other
users password in clear. Besides adressing this problem you might want to
contact User:Rough to advise him that his password has been compromised. This is
my at-home computer and has not been used by anyone but me for at least a year.
Besides my log-ons are slightly harder to crack than yours.
Take care
Comment 1 Brion Vibber 2007-03-05 14:51:21 UTC
Note that the cookies do not include passwords.
Comment 2 Alf B. Meier 2007-03-05 22:28:04 UTC
(In reply to comment #1)
> Note that the cookies do not include passwords.

Maybe, than please explain why the password was in my log-in box and could be
decoded perfectly. You may say I am crazy but nobody except me has used this
computer for at least one year
Comment 3 Ral315 2007-03-05 22:32:31 UTC
It's possible that someone used the computer and allowed the browser to save
password information; however, MediaWiki stores username, user ID, and a session
hash.  None of these should include plaintext password information.
Comment 4 Brion Vibber 2007-03-05 22:36:06 UTC
The only time that MediaWiki fills in the password field is if you provide it;
it *shouldn't* ever turn up in a cookie, but I suppose hypothetically if you set
such a cookie there's a chance it might somehow sneak in there.

On the other hand, many browsers *do* have features to save fields and pre-fill
them, including passwords. You should double-check in your browser's setup that
that is the problem.

We have occasionally had odd problems with people getting other peoples' login
_sessions_ stuck in, probably due to problems with the proxy caching which are
hopefully resolved. That, again, should never show you a password.

Note You need to log in before you can comment on or make changes to this bug.