Forum:Require 2FA for Risky Actions

From Meta Wiki
Jump to: navigation, search
Forums: Index > Require 2FA for Risky Actions
Archive
This page or section is an archive.
Please do not edit the contents of this page.
This thread was archived on 26 February 2020 by Gaz Lloyd.

Currently any administrator can edit CSS and JavaScript wiki-wide, which means a hacked account could be used to harm other users through adding malicious JavaScript or to track users through adding CSS tracking pixels. The best defence, separate from restricting these rights to a smaller group, is to require administrators to be two-factor authenticated (2FA) in order to perform these actions. Fortunately, the extension we use for 2FA supports this. This would mean an administrator, as now, would not be required to use 2FA, but if they wish to be able to perform these actions, their account would need to use 2FA. This also makes it safe to allow administrators to once again edit the CSS and JavaScript of other users, which was restricted to sysadmins (staff on Wikia), after Wikia restricted CSS and JavaScript editing to require approval because of an incident where malicious JavaScript was added to steal user passwords.

At this time, the rights requiring 2FA would be:

  • For risk of personal information leakage:
    • abusefilter-private
    • checkuser
    • checkuser-log
  • For risk of wiki-wide harm:
    • editinterface
    • editsitecss
    • editsitejs
    • editsitejson
  • For risk of user-specific harm (also gives back administrators the rights to edit user CSS/JS):
    • editusercss
    • edituserjs
    • edituserjson

Additionally, this means bots can't easily be used to perform these actions, because while the login API does make this possible, AWB and most existing bot frameworks don't support 2FA at this time; however, this is a limited use case and letting bots perform these actions with only bot passwords, since they can hide their edits, is a security risk, so I propose not adding a work-around for bots who have these rights.

Couple of clarifications from Discord (as of 02:17, 29 January 2020 (UTC)):

  • editinterface is included because it could be used to phish users and any vandalism performed with it requires purging our entire cache to be on the safe side. Additionally, our LESS code, which gets converted to CSS, isn't covered by editsitecss, so could still be used to sneak in malicious CSS without this restriction, though LESS could be added to the right if editinterface is determined to otherwise not be too risky.
  • Requiring 2FA for these tools doesn't require admins to have 2FA unless they want to use these tools.
  • Checkuser isn't available to all admins, it's just listed as one of the restricted rights, in this case applying to checkuser group members and sysadmins.
  • Bot passwords do not bypass 2FA, hence the bot concern.
  • Libraries exist for generating two-factor authentication codes, so they could be used in combination with the login API to avoid manually entering new codes for bots.
  • I have backported this feature to our older version of the extension.

Discussion

Support - as nominator. - TehKittyCatTalk Wikian-Book 01:35, 29 January 2020 (UTC)

Support - Yes jayden 01:38, 29 January 2020 (UTC)

My bot generates .css and .js on a daily basis (e.g. Equipment table, CSS sprite table). Is there a solution so that this is not impacted? --Gau Cho (talk) 01:41, 29 January 2020 (UTC)

Yes, use the login API that supports two-factor authentication. Just add a prompt to your bot to enter in the code and perhaps have a Discord webhook ping you if it needs to be entered, which it shouldn't unless your session expired. - TehKittyCatTalk Wikian-Book 01:47, 29 January 2020 (UTC)
Or use a two-factor authentication library to handle code generation automatically. - TehKittyCatTalk Wikian-Book 02:31, 29 January 2020 (UTC)

Support - also support not adding a workaround for bots - there are few legitimate reasons for a bot to be editing JS, and supporting it just introduces another attack vector. Toes for Tea (talk) 01:42, 29 January 2020 (UTC)

Support - Meeeeerds msg 01:53, 29 January 2020 (UTC)

Support — I'm always in favor of better security. --laagone talk 01:56, 29 January 2020 (UTC)

Support - Badassiel 02:08, 29 January 2020 (UTC)

Support - On the condition that the bot solution discussed is viable. Legaia2Pla[T] 02:37, 29 January 2020 (UTC)

Oppose Unless - As per Legaia MitcheII (talk) 05:31, 29 January 2020 (UTC)

Support - On the condition that the 2FA works for bots as well. Can one of the admins currently running bots test using their bot? Elessar2 (talk) 09:03, 29 January 2020 (UTC)

Support - Salix of Prifddinas (Talk) 10:18, 29 January 2020 (UTC)

Support - Shoyrukon (talk) 15:21, 29 January 2020 (UTC)

Support - Srylius (talk) 19:03, 9 February 2020 (UTC)

Comment - GauBot is surviving with 2fa at the moment, even though it seems less robust than 1fa Gau Cho (talk) 20:58, 9 February 2020 (UTC)

Closed - There is consensus to implement 2FA for risky actions. Gaz (talk) 21:47, 26 February 2020 (UTC)