Spoof detector not working - Githubissues

enwikipedia-acc / waca

English Wikipedia Account Creation Interface

https://accounts.wmflabs.org/internal.php

The Unlicense

33 stars 30 forks source link

Spoof detector not working #212

Open Kharkiv07 opened 8 years ago

Kharkiv07 commented 8 years ago

I've had two requests today where the ACC anti-spoof checker did not label them as flagged-user needed, but when I went to create them I couldn't because of too similar accounts already existing.

Kharkiv07 commented 8 years ago

It appears to have something to do with capitalization, from a cursory look.

stwalkerster commented 8 years ago

For reference, these are:

160133
160134

Curious... they're two together...

stwalkerster commented 8 years ago

Both those requests now only show one conflict from AntiSpoof - and that's the name on the request itself. (And yes, I'm querying Wikipedia directly)

stwalkerster commented 8 years ago

Possibly related to a difference in code between ApiAntiSpoof::execute() and AntiSpoofHooks::asAbortNewAccountHook(...) in the MediaWiki AntiSpoof extension.

stwalkerster commented 8 years ago

https://phabricator.wikimedia.org/diffusion/EANS/browse/master/AntiSpoofHooks.php;820cd721cfc6653327540097d91ba559572f991f$21

https://phabricator.wikimedia.org/diffusion/EANS/browse/master/api/ApiAntiSpoof.php;820cd721cfc6653327540097d91ba559572f991f$10

MJ94 commented 8 years ago

160196 also doesn't show 2 similar usernames.

stwalkerster commented 8 years ago

OK, so quick summary of my findings:

Reference	Example	Normalised	Discovered on Creation	Discovered on API
Requested Name	Name 00	v2:NAME00	N/A	N/A
Conflict 1	Name-00	v2:NAME00	Yes	No
Conflict 2	Name00	v2:NAME00	Yes	No

Two conflicting accounts detected on account creation
No conflicts detected on api.php?action=antispoof
All names normalise to the same value
Conflict 1 is unregistered locally, but a global account exists. Home wiki is cswiki.
Conflict 2 is autocreated locally, global account exists. Home wiki is ruwiki via creation

This is an upstream problem, but I'll try and reproduce the issue locally.

stwalkerster commented 8 years ago

Great, so there's a centralauth version of AntiSpoof too:

https://phabricator.wikimedia.org/diffusion/ECAU/browse/master/AntiSpoof/CentralAuthAntiSpoofHooks.php

FunPika commented 8 years ago

Opened a Phabricator task for this issue.

https://phabricator.wikimedia.org/T126174

bardiharborow commented 6 years ago

I ran into this today with 223123.

stwalkerster commented 6 years ago

Urgh.

Both the requested account and the existing account are reporting the same normalised name, and both passing the AntiSpoof check, on both enwiki and mswiki (where the conflicting account is registered).

The existing account only exists on mswiki, no other wikis (incl. loginwiki).

I'll try and set up a centralauth+antispoof wiki somewhere and see if I can recreate this reliably for the phab task.

ElHefWiki commented 4 years ago

More requests with antispoof issues from what I've handled: 279250, 292208, 292325, 270660, 279099, 292315, 288385. I've noticed this often, I'll keep track of them and put them here periodically as long as it's useful.