Author: matthew.britton
Description:
On the English Wikipedia, anonymous users who want accounts but can't create them themselves (because the name is too similar or account creation is disabled from their IP address) can request them at http://en.wikipedia.org/wiki/WP:ACC whereupon a trusted user will create the account via the "by e-mail" button on the account creation form.
Once they have done so, the user requesting the account recieves an automated e-mail, which looks like this:
The account "[name]" has been created on Wikipedia for you. You have been given a temporary password "[password]". Please log in with these credentials where you will be prompted to change your password. This account was created by someone at [IP address]. You may ignore this message if it was created in error.
That IP address is the IP address of whoever *created the account* -- an administrator or other trusted user. Since the username of whoever handled the request can be found in the page history, the two can be connected. Thus anyone who handles an account creation request is sending their IP address to the requestee.
Can this be avoided somehow?
Version: unspecified
Severity: major