[02:59:03] anyways @originalauthority ill try tmr to see if i can access my account via a different browser or just downright transfering the passkey but if it fails uuuh lmk what you need from me for the burden of disabling MFA [03:14:37] getting locked out any% [03:17:16] [BardoniaBased](https://cdn.discordapp.com/emojis/921979308367552553.webp?size=48&quality=lossless&name=BardoniaBased) [03:17:41] i thought that the spam or vandalism route would be faster, but i forgot about the webauthn one [03:21:16] nah [03:21:39] I think I may be the first person to lock themselves out of their account with a Request for GA opem [03:22:42] yeah because GAs didn't exist until a couple days ago [03:22:53] /s [03:24:10] right [03:24:14] edits dont carry over [03:24:19] I chanegd it to GA/GS [03:24:26] oh okay [03:24:32] how about just RfGP [03:24:46] that's a new record i suppose [11:40:22] Adios!! [12:32:40] @originalauthority I do t ducking understand technology sometimes but I’m not complaining [12:32:44] https://cdn.discordapp.com/attachments/1006789349498699827/1260574428358512792/image0.jpg?ex=668fd0ec&is=668e7f6c&hm=8e9c57c5d489fec9f50b8c5ab42fa9f24c46616a6260de10672369b28fdea59d& [12:33:02] Question [12:33:11] I hate technology [12:33:13] If you need a packet to login [12:33:18] Of crisps? [12:33:20] Passkey* [12:33:26] How do you [12:33:28] Login [12:33:37] From any other device [12:33:43] Like [12:33:47] To add a key on my desktop [12:34:49] [1/2] Erm, im not really sure. I don't use passkeys with mediawiki. [12:34:49] [2/2] Iirc you can only have 1 passkey, i think? [12:38:44] https://cdn.discordapp.com/attachments/1006789349498699827/1260575936214990859/image0.jpg?ex=668fd253&is=668e80d3&hm=6a1fa3b9e9dc71fd697e78cba19d6975e8dbc8d06c7a4cd0314b8abcdd51a4b7& [12:39:21] Okay so I can figure two options from my iOS [12:39:38] 1. Key ring/ yubi key(dont got one) [12:40:12] Or 2, it lets me export a passkey as a QR code instead of on my phone [12:41:24] Think I need to update my OS though [12:41:32] Oh i dont use WebAuthn [12:41:37] I use that 2FA one [12:41:56] I’m going to try webauth [12:42:08] And suck it up and publish my PGP key as a backup [12:42:47] I don’t like pulling out my phone for codes [12:49:23] https://youtu.be/3aDFp99_FqA?si=rqr-3G2YaygzhBEQ [12:49:48] Actually this should be in off topic mb, but wouldn’t be able to reply to the msg [12:49:50] Whoopies [12:54:13] > [10/07/2024 22:41] I use that 2FA one [12:54:15] TOTP [12:55:20] pixldev: if you don't mind, you can store the totp secret in password manager or so [12:55:26] then you can generate codes straight from it [13:41:26] @originalauthority would you believe if i said that i get a stack error trying to disable webauth [13:41:39] im gonna try on beta rq [13:42:28] `3fa127fb6c9f4f0f98a33cc6` [14:08:42] @rhinosf1 i assume you also use the normal TOTP for MFA? [14:19:15] Yes [14:19:29] Mediawiki webauthn is shit [14:19:43] ya think [14:20:02] TOTP is perfectly fine [14:20:10] SMS or email based 2FA is evil [14:20:15] But we don't offer that [14:20:35] I love the concept of webautn [14:20:44] the execution on windows and mediawiki sucks [14:21:53] i still cant turn it off though [14:30:16] Windows full stop sux [14:31:06] Oh we need to bump some skins [14:32:30] Mac also sucks [14:33:30] Wrong! [14:33:45] i'm already in the iPhone walled garden [14:33:53] I'm not using mac [14:34:16] tech sux we should all walk into the forest never to be seen again [14:34:21] I was too but now I have a samsung [14:34:30] Still use airpods, mac, ipad, applewatch though [14:35:35] I do miss apple pay though [14:35:41] Samsung Pay doesn't hit the same [14:40:21] anyways, do you have any idea what the stack error means? [14:40:26] . [14:47:16] In RequestWiki I am concerned that when I select "Needs more details" and submit, the load time is 3 times longer than other actions. It is slower than "Approve" which would be the heaviest processing [15:22:04] @originalauthority or do you want me to open a phab task on this [15:22:43] Nah ill have a look in about 15 mins [15:24:57] 👍 [16:03:17] No it doesn't [16:03:33] Windows in general is terrible [16:03:58] Not as much as a walled garden [16:04:11] Windows has been chugging along for me for years [16:04:20] Max just feels so counter intuitive [19:01:10] [1/37] Prod — Today at 16:09 [19:01:10] [2/37] https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/3NE3HUY4H6PCEG334MW2STD42K6IORFX/ [19:01:10] [3/37] MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.1) [19:01:11] [4/37] Manfredi Martorana @ 10 Jul 2024 11:15 a.m. [19:01:11] [5/37] Greetings- [19:01:11] [6/37] With the security/maintenance release of MediaWiki 1.39.8/1.40.4/1.41.2/1.42.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins [...] [1]: [19:01:12] [7/37] CheckUser [19:01:12] [8/37] API [19:01:12] [9/37] T326867 - can expose suppressed information for log events [19:01:12] [10/37] T361295 - shows hidden usernames to those who cannot see them [19:01:13] [11/37] Special:CheckUser [19:01:13] [12/37] T361479 - 'Get actions' page link can expose the username of a suppressed user [19:01:13] [13/37] T361293 - 'Get users' shows hidden usernames to those who do not have the rights to see it [19:01:14] [14/37] T326865 - can expose suppressed information for log events [19:01:14] [15/37] T268147 - shows deleted edits to non-admins [19:01:15] [16/37] Special:Investigate [19:01:15] [17/37] T326866 - can expose suppressed information for log events [19:01:16] [18/37] T361296 - exposes suppressed usernames to those who do not have the rights to see them [19:01:16] [19/37] T338419 - Wikimedia\RequestTimeout\RequestTimeoutException on timeline mode [19:01:17] [20/37] MediaWikiChat [19:01:17] [21/37] T362588 - Classic CSRF in MediaWikiChat's API modules [19:01:18] [22/37] ArticleRatings [19:01:18] [23/37] T363884 - Special:ChangeRating is vulnerable to CSRF [19:01:19] [24/37] Gadgets [19:01:20] [25/37] T363773 - Evil regex used to process gadget definitions [19:01:20] [26/37] Skins - stored XSS via MediaWiki:Sidebar [19:01:21] [27/37] T361448 - GuMaxDD [19:01:21] [28/37] T361449 - Metrolook [19:01:22] [29/37] T361450 - Nimbus [19:01:22] [30/37] T361451 - Tempo [19:01:23] [31/37] T361452 - Foreground [19:01:23] [32/37] T361453 - BlueLL [19:01:24] [33/37] The Wikimedia Security Team recommends updating [...] [2] as soon as possible. [...] If you have any additional questions or concerns [...] contact security@wikimedia.org or file a security task [...] [3]. [19:01:24] [34/37] [1] https://phabricator.wikimedia.org/T361321 [19:01:25] [35/37] [2] https://www.mediawiki.org/wiki/Version_lifecycle [19:01:25] [36/37] [3] https://www.mediawiki.org/wiki/Reporting_security_bugs [19:01:26] [37/37] [Heavily modified due to discord limits. hyperkitty link has full details. [1] has links to all tickets and CVE details] [20:05:19] (bump if you aint busy) [20:23:52] nothing was logged [20:24:53] what [20:24:56] uh [20:25:00] do you want to just [20:25:07] try disabling it from your end [20:25:25] since I can show myself logged in going to disable I assume the typically burden of proof is void [20:25:59] show me da proof [20:26:47] want me to call you on discord phone and screenshare? [20:26:54] or actually [20:26:55] i can record [20:27:01] send me on DM [20:27:03] yea easier [20:33:13] [1/4] oh @pixldev it was logged. I had the time period set to 5 mins lol [20:33:13] [2/4] ```php [20:33:13] [3/4] MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnDisableForm::authenticate(): Argument #1 ($credential) must be of type array, string given, called in /srv/mediawiki/1.41/extensions/WebAuthn/src/HTMLForm/WebAuthnDisableForm.php on line 74 [20:33:13] [4/4] ``` [20:33:29] hmm [20:33:52] could it be that it was expecting multiple keys and the proper way would have been to remove that one key? [20:35:31] [1/6] ```php [20:35:31] [2/6] if ( !$this->authenticate( $formData['credential'] ) ) { [20:35:32] [3/6] return [ 'oathauth-failedtovalidateoath' ]; [20:35:32] [4/6] } [20:35:32] [5/6] ``` [20:35:33] [6/6] Seems to be happening here [20:35:48] $credential for some reason should be an array and its receiving a string [20:36:08] oh [20:36:10] its been pached [20:36:13] patched* [20:36:20] we must be running an out-of-date version