Wikipedia in read-only mode following mass admin account compromise

Posted by greyface- 7 hours ago

744 points | 239 commentspage 2

pixl97 5 hours ago|

>Cleaning this up

Find the first instance and reset to the backup before then. An hour, a day, a week? Doesn't matter that much in this case.

bbor 5 hours ago|

It is true that they have a particularly robust, distributed backup system that can/has come in handy, but FWIW the timing matters to them. English Wikipedia receives ~2 edits per second, or 172,800 per day. Many of them are surely minor and/or automated, but still: 1,036,800 lost edits is a lot!

shevy-java 5 hours ago|||

Are they really lost though? I think they should not be lost; they could be stored in a separate database additionally.

derefr 5 hours ago||

In fact, as long as the malware is just doing deletes, you can just merge the two "timelines" by restoring the snapshot and then replaying all the edits but ignoring the deletes. Lost deletes really aren't much of a problem!

Kiboneu 5 hours ago|||

Filesystem & database snapshots are very cheap to make, you can make them every 15 minutes. You can expire old snapshots (or collapse the deltas between them) depending on the storage requirements.

squeaky-clean 4 hours ago||

That doesn't really matter though against an attack that takes some time to spread. If the attack was active for let's say, 6 hours, then 43,000 legitimate edits happened in between the last "clean" snapshot and the discovery of the attack. If you just revert to the last clean snapshot you lose those legitimate edits.

shevy-java 5 hours ago||

This is unfortunate that Wikipedia is under attack. It seems as if there are more malicious actors now than, say, 5 years ago.

This may be unrelated but I also noticed more attacks on e. g. libgen, Anna's archive and what not. I am not at all saying this is similar to Wikipedia as such, mind you, but it really seems as if there are more actors active now who target people's freedom now (e. g. freedom of choice of access to any kind of information; age restriction aka age "verification" taps into this too).

jibal 2 hours ago|

Wikipedia is not under attack. Some stupid admin running with full privileges unsandboxed ran a test that grabbed and ran random user scripts, and one of them just happened to be this 2 year old malicious script.

tonymet 48 seconds ago||

that's a common attack vector -- like leaving malware usb sticks on the ground, knowing an admin will pick it up and insert it.

Phabricator reveals the ops tasks that WMF admins perform, so attackers can drop malware in common locations and bet on them getting run from time to time.

Dwedit 4 hours ago||

I just checked a wiki, and the "MediaWiki:Common.js" page there was read-only, even for wikisysop users.

bawolff 2 hours ago|

You need to be a special type of admin, called "interface-admin" to edit it. Normal admin is not enough.

clcaev 5 hours ago||

We should be using federated organizational architectures when appropriate.

For Wikipedia, consider a central read-only aggregated mirror that delegates the editorial function to specialized communities. Common, suggested tooling (software and processes) could be maintained centrally but each community might be improved with more independence. This separation of concerns may be a better fit for knowledge collection and archival.

Note: I edited to stress central mirroring of static content with delegation of editorial function to contributing organizations. I'm expressly not endorsing technical "dynamic" federation approaches.

brcmthrowaway 4 hours ago|

Exactly. Wikipedia should be used on ipfs

mafriese 4 hours ago||

I’m not saying that this is related to Wikipedia ditching archive.is but timing in combination with Russian messages is at least…weird.

armchairhacker 4 hours ago||

The script was uploaded in 2024, and triggered today because of an accident

https://en.wikipedia.org/wiki/Wikipedia:Village_stocks#Scott...

worksonmine 4 hours ago||

And they probably used mind-control to make the admin run random userscripts on his privileged account as well, the capabilities of russian hackers is scary.

It is just another human acting human again.

devmor 6 hours ago||

In the early 2010’s I worked for a company whose primary income was subscriptions to site protection services - one of which included cleaning up malware-infected Wordpress installations. I worked on the team that did this job.

This exact type of database-stored executable javascript was one of the most annoying types of infections to clean up.

0xWTF 6 hours ago|

Ok, so there are tons of mediawiki installations all over the internet. What do these operators do? Set their wikis to read-only mode, hang tight, and wait for a security patch?

Also, does this worm have a name?

bawolff 5 hours ago||

There is nothing to do, the incident was not caused by a vulnerability in mediawiki.

Basically someone who had permissions to alter site js, accidentally added malicious js. The main solution is to be very careful about giving user accounts permission to edit js.

[There are of course other hardening things that maybe should be done based on lessons learned]

dboreham 5 hours ago|||

There are already tools and techniques to validate served JS is as-intended, and these techniques could be beefed up by adding browser checks. I've been surprised these haven't been widely adopted given the spate of recent JS-poisoning attacks.

streetfighter64 5 hours ago|||

Well, admins (or anybody other than the developers / deployment pipeline) having permissions to alter the JS sounds like a significant vulnerability. Maybe it wasn't in the early 2000s, but unencrypted HTTP was also normal then.

bawolff 2 hours ago|||

That's a fair point, but keep in mind normal admin is not sufficient. For local users (the account in question wasn't local) you need to be an "interface admin", of which there are only 15 on english wikipedia.

The account in question had "staff" rights which gave him basically all rights on all wikis.

cesarb 8 minutes ago||

> For local users (the account in question wasn't local) you need to be an "interface admin", of which there are only 15 on english wikipedia.

It used to be all "admin" accounts, of which there were many more. Restricting it to "interface admin" only is a fairly recent change.

LaGrange 5 hours ago|||

> Well, admins (or anybody other than the developers / deployment pipeline) having permissions to alter the JS sounds like a significant vulnerability.

It's a common feature of CMS'es and "tag management systems." Its presence is a massive PITA to developers even _besides_ the security, but PMs _love them_, in my experience.

sciencejerk 4 hours ago||

I wonder if any poisoned data made it into LLM training data pipelines?

ibejoeb 4 hours ago|

Interesting angle. Everyone has already pointed out that there are backups basically everywhere, and from an information standpoint, shaving off a day (or whatever) of edits just to get to a known-good point is effectively zero cost. But I wonder what the cost is of the potentially bad data getting baked into those models, and if anyone really cares enough to scrap it.

garbagecreator 5 hours ago||

Another reason to make the default disabling JS on all websites, and the website should offer a service without JS, especially those implemented in obsolete garbage tech. If it's not an XSS from a famous website, it will be an exploit from a sketchy website.

j45 5 hours ago||

Too much app logic in the client side (Javascript) has always been an attack vector. The more that can reasonably be server side, the more that can't be seen.

dns_snek 5 hours ago|

The amount of javascript is really beside the point here. The problem is that privileged users can easily edit the code without strong 2FA, allowing automatic propagation.

shevy-java 5 hours ago|||

How does 2FA prevent this here?

dns_snek 5 hours ago||

If they required 2FA every time you wanted to modify JS then it couldn't propagate automatically. Just requiring 2FA when you first log in wouldn't help, of course.

j45 3 hours ago||

2FAs also may require a level of KYC that Wikipedia isn't after and advocating for 2FA might indirectly advocate for a lot more things than just 2FA.

dns_snek 1 hour ago||

KYC? I'm talking about standard 2FA methods like Time-based OTP codes.

j45 3 hours ago|||

It's not, application logic exposed on the client side is always an attack vector for figuring out how it works and how attack vectors could be devised.

It's simply a calculated risk.

How much business and application logic you put in your Javascript is critical.

On your second unrelated comment about Wikipedia needing to use 2FA, there's probably a better way to do it and I hope mediawiki can do it.

dns_snek 1 hour ago||

I don't know what you mean by application logic being exposed client-side. To change the content on the website, nuke articles, and propagate the malicious JS code you need to hijack privileged users' credentials and use them to trigger server-side actions.

It doesn't matter how much functionality the JS was originally responsible for, it could've been as little as updating a clock, validating forms, or just some silly animation. Once that JS executes in your browser it has access to your cookies and local storage, which means it can trigger whichever server-side actions it wants.

My second comment is not unrelated. The root cause of this mess is the fact that JS can be edited by privileged users without an approval process. If every change to the JS code required the user to enter their 2FA code (TOTP, let's say) then there would be no way for the worm to spread whenever users visited a page.

TZubiri 4 hours ago|

There's thousands of copies of the whole wikipedia in sql form though, IIRC it's just like 47GB.

eblume 3 hours ago|

Correct. Not sure about a sql archive, but the kiwix ZIM archive of the top 1M English articles including (downsized but not minimized) images is 43GiB: https://download.kiwix.org/zim/wikipedia/

And the entire English wikipedia with no images is, interestingly, also 43GiB.

More comments...