Page MenuHomeMiraheze
Create Task
Maniphest T3520

Personal and sensitive information being sent third party by a community
Closed, ResolvedPublic
Actions

Description

Firstly, This task WILL be public after the checklist below is complete. If sharing information or comments, make it reasonable for public disclosure.

We've been made aware very recently that a script on a wiki community. Example of potential data that can accessed easily is here however more sensitive data is being sent and received.

This has to be assumed as a very serious security incident and a direct violation of the privacy policy.

Steps that should be taken are:

  • Remove the script.
  • Contact those who made the script/bureaucrats and inform this is unacceptable.
  • Wipe all user logins.
  • Inform everyone with an account on the wiki that there data may have been compromised.
  • Implement controls (CSP).
  • Disclose publicly on Meta this.

Added to this ticket is all security, Void (reasonable and supporting) and the The Pioneer (reporter).

Event Timeline

John triaged this task as Unbreak Now! priority.Aug 26 2018, 22:28
John created this task.
John created this object with visibility "Custom Policy".
Herald added subscribers: Southparkfan, Void, Reception123, NDKilla. · View Herald TranscriptAug 26 2018, 22:28
John updated the task description. (Show Details)Aug 26 2018, 22:28
Paladox subscribed.Aug 26 2018, 22:30
The_Pioneer subscribed.EditedAug 26 2018, 22:46

Some comments.

  1. Script removal should be done by oversighters (so that local admins cannot restore).
  2. One of the problems is that the guy who made the script has been inactive for months (see this). I'm not sure whether anyone can make a contact.
  3. Also, at least one of the admins there hosts multiple wikis; those wikis should also be investigated (I'll send a list on CVT channel if necessary).
John added a comment.Aug 26 2018, 22:55
In T3520#67042, @The_Pioneer wrote:

Some comments.

  1. Script removal should be done by oversighters (so that local admins cannot restore).

Has been done, don't worry :)

  1. One of the problems is that the guy who made the script has been inactive for months (see this). I'm not sure whether anyone can make a contact.

They'll get an email if they have one. Else, I'm sure others will react anyway.

  1. Also, at least one of the admins there hosts multiple wikis; those wikis should also be investigated (I'll send a list on CVT channel if necessary).

Please do!

Void added a comment.Aug 26 2018, 22:55
  1. OS is done.
  2. Warning is going anyway.
  3. List should possibly be here.
John mentioned this in Unknown Object (Diffusion Commit).Aug 26 2018, 22:58
John updated the task description. (Show Details)Aug 26 2018, 23:11
John updated the task description. (Show Details)Aug 27 2018, 00:13
John added a comment.Aug 27 2018, 01:55

https://meta.miraheze.org/wiki/2018-08-26_Security_Disclosure

John closed this task as Resolved.Aug 27 2018, 01:56
John updated the task description. (Show Details)
John changed the visibility from "Custom Policy" to "Public (No Login Required)".
Herald added subscribers: CnocBride, ImBoPhil. · View Herald TranscriptAug 27 2018, 01:56
AmandaCath subscribed.Aug 27 2018, 02:03