[Wikipedianon]

This was only a matter of time.

The Wikipedia community takes a cavalier attitude towards security. Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review. They added mandatory 2FA only a few years ago...

Prior to this, any admin had that ability until it was taken away due to English Wikipedia admins reverting Wikimedia changes to site presentation (Mediaviewer).

But that's not all. Most "power users" and admins install "user scripts", which are unsandboxed JavaScript/CSS gadgets that can completely change the operation of the site. Those user scripts are often maintained by long abandoned user accounts with no 2 factor authentication.

Based on the fact user scripts are globally disabled now I'm guessing this was a vector.

The Wikimedia foundation knows this is a security nightmare. I've certainly complained about this when I was an editor.

But most editors that use the website are not professional developers and view attempts to lock down scripting as a power grab by the Wikimedia Foundation.

[256_]

Maybe somewhat unrelated, but I'm reminded of the fact that people have deleted the main page on a few occasions: https://en.wikipedia.org/wiki/Wikipedia:Don%27t_delete_the_m...

[gucci-on-fleek]

> Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review.

True, but there aren't very many interface administrators. It looks like there are only 137 right now [0], which I agree is probably more than there should be, but that's still a relatively small number compared to the total number of active users. But there are lots of bots/duplicates in that list too, so the real number is likely quite a bit smaller. Plus, most of the users in that list are employed by Wikimedia, which presumably means that they're fairly well vetted.

[0]: https://en.wikipedia.org/w/api.php?action=query&format=json&...

[Wikipedianon]

There shouldn't be any interface admins as such. There should be an enforced review process for changes to global JavaScript so stuff like this can't happen.

I'm sure there are Google engineers who can push changes to prod and bypass CI but that isn't a normal way to handle infra.

[notRobot]

There are 15 interface admins as per these links

https://en.wikipedia.org/wiki/Wikipedia:Interface_administra...

https://en.wikipedia.org/wiki/Special:ListUsers/interface-ad...

[gucci-on-fleek]

Those are the English Wikipedia-only users, but you also need to include the "global" users (which I think were the source of this specific compromise?). Search this page [0] for "editsitejs" to see the lists of global users with this permission.

[0]: https://en.wikipedia.org/wiki/Special:GlobalGroupPermissions

[RGamma]

Seems like a good time to donate one's resources to fix it. The internet is super hostile these days. If Wikipedia falls... well...

[Wikipedianon]

It's a political issue. Editors are unwilling or unable to contribute to development of the features they need to edit.

Unfortunately, Wikipedia is run on insecure user scripts created by volunteers that tend to be under the age of 18.

There might be more editors trying to resume boost if editing Wikipedia under your real name didn't invite endless harassment.

[diath]

They have 100s of millions USD, they will be fine: https://upload.wikimedia.org/wikipedia/foundation/3/3f/Wikim... (page 5-7).

[tick_tock_tick]

Wikipedia doesn't even spend donation of Wikipedia anymore.

[logophobia]

Sounds more like a political issue this. Can't buy your way out of that.

[PsylentKnight]

My understanding is that Wikipedia receives more donations than they need, surely they have the resources to fix it themselves?

[noosphr]

You would first need to realzie it's a problem.

[krater23]

Maybe this is the reason for this worm. Someone is angry because they don't got it in another way...

[jibal]

The worm is a two year old script from the Russian Wiki that was grabbed randomly for a test by a stupid admin running unsandboxed with full privileges, so no.

[bawolff]

> Prior to this, any admin had that ability until it was taken away due to English Wikipedia admins reverting Wikimedia changes to site presentation (Mediaviewer).

You're mixing up events. Superprotect is unrelated to the IAdmin separation from normal admin. The two are separated by many years and basically totally unrelated.

I agree with the rest of your post.

[Nemo_bis]

Reminds me of the famous quip starting with "found a bug in the english site" (early 2000s)...

https://bash.toolforge.org/quip/AU8FCPz66snAnmqnLHDj

[AlienRobot]

For reference

>There are currently 15 interface administrators (including two bots).

https://en.wikipedia.org/wiki/Wikipedia:Interface_administra...

[_verandaguy]

    > Based on the fact user scripts are globally disabled now I'm guessing this was a vector.

Disabled at which level?

Browsers still allow for user scripts via tools like TamperMonkey and GreaseMonkey, and that's not enforceable (and arguably, not even trivially visible) to sites, including Wikipedia.

As I say that out loud, I figure there's a separate ecosystem of Wikipedia-specific user scripts, but arguably the same problem exists.

[howenterprisey]

Yeah, wikipedia has its own user script system, and that was what was disabled.

[karel-3d]

This is apparently not done browser side but server side.

As in, user can upload whatever they wish and it will be shown to them and ran, as JS, fully privileged and all.

[Wikipedianon]

The sitewide JavaScript/CSS is an editable Wiki page.

You can also upload scripts to be shared and executed by other users.