RIP Wikimedia Open Redirect Bug (image domain whitelist bypass)

novice27b · #1 July 23, 2020 17:17:10

Looking at the Wikimedia bug tracker, this bug/feature is just about to be fixed.

I think it's been almost 5 years since I first found this bug - I was specifically looking for a way to bypass the image whitelist, at the time.

All “dynamic” signature images etc. will break, until someone finds a new bug.

Boomer001 · #2 July 23, 2020 17:19:32

OH NO

Boomer001 · #3 July 23, 2020 17:29:40

It's fixed

What do we do now?

Maximouse · #4 July 23, 2020 18:29:52

Boomer001 wrote:
It's fixed
What do we do now?

I would probably set up a node.js bot which would periodically upload the image to Scratch as a project tumbnail. SVGs would not work this way.

Jeffalo · #5 July 23, 2020 20:04:31

i would like to apologize since this is probably mostly my doing.

but the quick reporting from the scratch team(?) and the quick fixing from wikimedia was very good.

… now we need an alternative. abusing scratch thumbnails seems doable, but they couldn't be svg quality and it's been said that thumbnails are a primary reason scratch is so slow sometimes.

RIP wikimedia open redirect, you will be missed.

Jeffalo · #6 July 23, 2020 20:16:39

i mean perhaps we should i apologize to the scratch team for abusing the bug in the first place? i apologized to @codubee since it seems like he's the one who reported it.

--Explosion-- · #7 July 23, 2020 20:27:28

Noo!

I never even got to try! ;-;

apple502j · #8 July 23, 2020 23:16:08

Email disclosure time, I guess?

Thanks for the report. We're tracking this issue internally.

-Bryce
Scratch Team

On Tue, 21 Jul at 9:35 AM , Apple502j <email omitted> wrote:
I “heard” that by posting or setting a signature to a image to https://secure.wikimedia.org/wikipedia/scratch.mit.edu%5c/..%5csite-api/comments/user/kaj any people who visit it get logged out. The domain secure.wikimedia.org (or wikimedia.org) should be removed from forum allowlist to prevent image filter bypasses.

herohamp · #9 July 23, 2020 23:28:21

apple502j wrote:
Email disclosure time, I guess?

Thanks for the report. We're tracking this issue internally.

-Bryce
Scratch Team

On Tue, 21 Jul at 9:35 AM , Apple502j <email omitted> wrote:
I “heard” that by posting or setting a signature to a image to https://secure.wikimedia.org/wikipedia/scratch.mit.edu%5c/..%5csite-api/comments/user/kaj any people who visit it get logged out. The domain secure.wikimedia.org (or wikimedia.org) should be removed from forum allowlist to prevent image filter bypasses.

Are you the reason?!?!?

novice27b · #10 July 24, 2020 01:04:53

Jeffalo wrote:
i would like to apologize since this is probably mostly my doing.

but the quick reporting from the scratch team(?) and the quick fixing from wikimedia was very good.

… now we need an alternative. abusing scratch thumbnails seems doable, but they couldn't be svg quality and it's been said that thumbnails are a primary reason scratch is so slow sometimes.

RIP wikimedia open redirect, you will be missed.

No, I reported it almost 5 years ago lol.

novice27b · #11 July 24, 2020 01:07:31

apple502j wrote:
Email disclosure time, I guess?

Thanks for the report. We're tracking this issue internally.

-Bryce
Scratch Team

On Tue, 21 Jul at 9:35 AM , Apple502j <email omitted> wrote:
I “heard” that by posting or setting a signature to a image to https://secure.wikimedia.org/wikipedia/scratch.mit.edu%5c/..%5csite-api/comments/user/kaj any people who visit it get logged out. The domain secure.wikimedia.org (or wikimedia.org) should be removed from forum allowlist to prevent image filter bypasses.

I reported the same technique, but with the “Follow Discussion” link - which at the time was a GET request rather than a POST. So I used to bug to create a forum thread that would automatically make anyone who viewed it a follower.

ajsya · #12 July 24, 2020 03:32:40

Is this why my signature broke, I was wondering.

And I just started using this method.

Jeffalo · #13 July 24, 2020 06:26:17

novice27b wrote:

Jeffalo wrote:
i would like to apologize since this is probably mostly my doing.

but the quick reporting from the scratch team(?) and the quick fixing from wikimedia was very good.

… now we need an alternative. abusing scratch thumbnails seems doable, but they couldn't be svg quality and it's been said that thumbnails are a primary reason scratch is so slow sometimes.

RIP wikimedia open redirect, you will be missed.
No, I reported it almost 5 years ago lol.

nono i mean like i think i (re)reminding people of it, by mentioning it recently and using it for my isgnature thing which lead to more people knowing about it and then i guess st didn't like.

Last edited by Jeffalo (July 24, 2020 09:06:01)

miaow55 · #14 July 24, 2020 06:48:48

Every image I have ever hosted. Gone.
Along with the decline of Cubeupload, images on the forums are dying.

Jeffalo · #15 July 24, 2020 06:57:36

miaow55 wrote:
Every image I have ever hosted. Gone.
Along with the decline of Cubeupload, images on the forums are dying.

you hosted all images using the wikimedia redirect?

miaow55 · #16 July 24, 2020 07:00:38

Jeffalo wrote:

miaow55 wrote:
Every image I have ever hosted. Gone.
Along with the decline of Cubeupload, images on the forums are dying.
you hosted all images using the wikimedia redirect?

Yes, on my old account, I had roughly 1500 posts in the requests forum, around 20% of which contained images hosted through the aforementioned method.

Last edited by miaow55 (July 24, 2020 07:01:04)

CatsUnited · #17 July 24, 2020 07:36:51

[nevermind I didn't realise originally that this was fixed by wikimedia so even if I wanted to do this redirect outside of Scratch, it wouldn't work anymore]

Last edited by CatsUnited (July 24, 2020 09:32:03)

gdpr70f61245d597c25631fbb669 · #18 July 24, 2020 08:01:50

This issue was on wikimedia phabricator since november 2016, but was bumped only two days ago by a user with no other posts than to that issue. I will assume this is the responsibility for being fixed, however I am not convinced this was a bad thing as it was surely being used maliciously.

Yes, most people don't seem to realize that scratch is already hosting hundreds of millions of images, over 99% of which you've never seen (actual number!)

Last edited by gdpr70f61245d597c25631fbb669 (July 24, 2020 08:10:01)

Jeffalo · #19 July 24, 2020 09:04:00

Naleksuh wrote:
This issue was on wikimedia phabricator since november 2016, but was bumped only two days ago by a user with no other posts than to that issue. I will assume this is the responsibility for being fixed, however I am not convinced this was a bad thing as it was surely being used maliciously.

Yes, most people don't seem to realize that scratch is already hosting hundreds of millions of images, over 99% of which you've never seen (actual number!)

that user was scratch team member codubee.

ps. im working on a method to safely upload images to scratch project thumbnails intergrated into the forums for maximum ease of use. i have a working tech demo but i'll release it somehow (i wish there was no extensiton policy) and hopefully it's helpful.

obviously it can't do things like “dynamic” images or svgs, but it gets the job done for working around cubeupload. also i think datonelefty made something like this already.

Boomer001 · #20 July 24, 2020 09:17:59

This is the bug report (for the ones who are curious). As you can see, they were talking about the Scratch website, and that you can go around the whitelist. The bug report was created in 2016 (as explained by @Naleksuh) and was bumped up 2 days ago (by a Scratch Team member, as explained by @Jeffalo).

Last edited by Boomer001 (July 24, 2020 09:26:41)

Discuss Scratch