Last modified: 2007-03-20 05:44:28 UTC
Trying to log in this morning I have found that my computer wanted to log in
under an unknown name. The user's name plus his password were clearly on my log
on field. After checking my system for viruses and similar I found a Cookie from
Wikipedia that contained somebody else's data and password and, sorry to say,
was so amateurish encoded that it took me less than a minute to see the other
users password in clear. Besides adressing this problem you might want to
contact User:Rough to advise him that his password has been compromised. This is
my at-home computer and has not been used by anyone but me for at least a year.
Besides my log-ons are slightly harder to crack than yours.
Note that the cookies do not include passwords.
(In reply to comment #1)
> Note that the cookies do not include passwords.
Maybe, than please explain why the password was in my log-in box and could be
decoded perfectly. You may say I am crazy but nobody except me has used this
computer for at least one year
It's possible that someone used the computer and allowed the browser to save
password information; however, MediaWiki stores username, user ID, and a session
hash. None of these should include plaintext password information.
The only time that MediaWiki fills in the password field is if you provide it;
it *shouldn't* ever turn up in a cookie, but I suppose hypothetically if you set
such a cookie there's a chance it might somehow sneak in there.
On the other hand, many browsers *do* have features to save fields and pre-fill
them, including passwords. You should double-check in your browser's setup that
that is the problem.
We have occasionally had odd problems with people getting other peoples' login
_sessions_ stuck in, probably due to problems with the proxy caching which are
hopefully resolved. That, again, should never show you a password.