Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Wikipedianon 5 hours ago

This was only a matter of time.

The Wikipedia community takes a cavalier attitude towards security. Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review. They added mandatory 2FA only a few years ago...

Prior to this, any admin had that ability until it was taken away due to English Wikipedia admins reverting Wikimedia changes to site presentation (Mediaviewer).

But that's not all. Most "power users" and admins install "user scripts", which are unsandboxed JavaScript/CSS gadgets that can completely change the operation of the site. Those user scripts are often maintained by long abandoned user accounts with no 2 factor authentication.

Based on the fact user scripts are globally disabled now I'm guessing this was a vector.

The Wikimedia foundation knows this is a security nightmare. I've certainly complained about this when I was an editor.

But most editors that use the website are not professional developers and view attempts to lock down scripting as a power grab by the Wikimedia Foundation.

256_ 5 hours ago | parent | next [-]

Maybe somewhat unrelated, but I'm reminded of the fact that people have deleted the main page on a few occasions: https://en.wikipedia.org/wiki/Wikipedia:Don%27t_delete_the_m...

gucci-on-fleek 2 hours ago | parent | prev | next [-]

> Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review.

True, but there aren't very many interface administrators. It looks like there are only 137 right now [0], which I agree is probably more than there should be, but that's still a relatively small number compared to the total number of active users. But there are lots of bots/duplicates in that list too, so the real number is likely quite a bit smaller. Plus, most of the users in that list are employed by Wikimedia, which presumably means that they're fairly well vetted.

[0]: https://en.wikipedia.org/w/api.php?action=query&format=json&...

notRobot 6 minutes ago | parent [-]

There are 15 interface admins as per these links

https://en.wikipedia.org/wiki/Wikipedia:Interface_administra...

https://en.wikipedia.org/wiki/Special:ListUsers/interface-ad...

RGamma 3 hours ago | parent | prev | next [-]

Seems like a good time to donate one's resources to fix it. The internet is super hostile these days. If Wikipedia falls... well...

Wikipedianon 2 hours ago | parent | next [-]

It's a political issue. Editors are unwilling or unable to contribute to development of the features they need to edit.

Unfortunately, Wikipedia is run on insecure user scripts created by volunteers that tend to be under the age of 18.

There might be more editors trying to resume boost if editing Wikipedia under your real name didn't invite endless harassment.

logophobia 3 hours ago | parent | prev | next [-]

Sounds more like a political issue this. Can't buy your way out of that.

tick_tock_tick an hour ago | parent | prev | next [-]

Wikipedia doesn't even spend donation of Wikipedia anymore.

PsylentKnight 3 hours ago | parent | prev [-]

My understanding is that Wikipedia receives more donations than they need, surely they have the resources to fix it themselves?

noosphr 3 hours ago | parent [-]

You would first need to realzie it's a problem.

krater23 2 hours ago | parent [-]

Maybe this is the reason for this worm. Someone is angry because they don't got it in another way...

jibal 2 hours ago | parent [-]

The worm is a two year old script from the Russian Wiki that was grabbed randomly for a test by a stupid admin running unsandboxed with full privileges, so no.

_verandaguy 3 hours ago | parent | prev | next [-]

    > Based on the fact user scripts are globally disabled now I'm guessing this was a vector.
Disabled at which level?

Browsers still allow for user scripts via tools like TamperMonkey and GreaseMonkey, and that's not enforceable (and arguably, not even trivially visible) to sites, including Wikipedia.

As I say that out loud, I figure there's a separate ecosystem of Wikipedia-specific user scripts, but arguably the same problem exists.

howenterprisey 3 hours ago | parent | next [-]

Yeah, wikipedia has its own user script system, and that was what was disabled.

Wikipedianon 2 hours ago | parent | prev | next [-]

The sitewide JavaScript/CSS is an editable Wiki page.

You can also upload scripts to be shared and executed by other users.

karel-3d 2 hours ago | parent | prev [-]

This is apparently not done browser side but server side.

As in, user can upload whatever they wish and it will be shown to them and ran, as JS, fully privileged and all.

AlienRobot an hour ago | parent | prev | next [-]

For reference

>There are currently 15 interface administrators (including two bots).

https://en.wikipedia.org/wiki/Wikipedia:Interface_administra...

chris_wot 5 hours ago | parent | prev [-]

[flagged]

alphager 4 hours ago | parent | next [-]

Most admins on Wikipedia are competent in areas outside of webdev and security.

formerly_proven 3 hours ago | parent | prev [-]

Wikipedia admins are not IT admins, they're more like forum moderators or admins on a free phpBB 2 hosting service in 2005. They don't have "admin" access to backend systems. Those are the WMF sysadmins.

Wikipedianon 2 hours ago | parent [-]

This is half true, because Wikipedia admins had the ability to edit sitewide JavaScript until 2018.

A certain number of "community" admins maintain that right to this day after it was realized this was a massive security hole.