Security issue in Wikipedia projects

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Security issue in Wikipedia projects

DaB.-4
Hello all,

how the WMF announced [1], the password-hashes and email addresses of
many users were public accessible in WikiLabs (and so ToolLabs) for 6
months.
So please make sure that you and your bots get a new password as soon as
possible! A well known bot in the wrong hands is dangerous, so change
the password now – don’t wait if you get a mail by the WMF (I got none,
but be affected AFAIS).

Sincerely,
DaB.

[1] https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue


_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette

signature.asc (333 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

Jeremy Baron
On Fri, Oct 4, 2013 at 2:36 PM, DaB. <[hidden email]> wrote:
> (I got none,
> but be affected AFAIS).

I wonder how you came up with that?

(not all users on a given DB were actually affected AIUI; some even
had no affected users)

Anyway, changing password should be a routine thing and doing one
extra time can't hurt.

-Jeremy

_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

Marc-Andre
On 10/04/2013 10:53 AM, Jeremy Baron wrote:
> (not all users on a given DB were actually affected AIUI; some even
> had no affected users)

Indeed, the fraction of affected users is low even on the affected
databases; every account that was affected was sent an email.

-- Marc


_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

DaB.-4
Hello,
Am 04.10.2013 17:12, schrieb Marc A. Pelletier:
> every account that was affected was sent an email.

I got no mail, but MediaWiki logged me out and forced me to change my
password (so I guess that I’m affected).

Sincerely,
DaB.


_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette

signature.asc (333 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

Simon Walker

"As a precautionary
measure, we have invalidated all affected user sessions, and are
requiring affected users like yourself to change their password on
their next login."

On 4 Oct 2013 17:15, "DaB." <[hidden email]> wrote:
Hello,
Am 04.10.2013 17:12, schrieb Marc A. Pelletier:
> every account that was affected was sent an email.

I got no mail, but MediaWiki logged me out and forced me to change my
password (so I guess that I’m affected).

Sincerely,
DaB.


_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette

_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

Marc-Andre
In reply to this post by DaB.-4
On 10/04/2013 12:15 PM, DaB. wrote:
> I got no mail, but MediaWiki logged me out and forced me to change my
> password (so I guess that I’m affected).

Well, the email was indeed sent to you:

2013-10-03 06:57:40 1VRcqy-0000fo-78 => [hidden email] <[hidden email]>
R=wiki_mail T=remote_smtp S=3309 H=wiki-mail.wikimedia.org
[208.80.152.133] C="250 OK id=1VRcqy-00086y-Gf" DT=0s
2013-10-03 06:57:40 1VRcqy-0000fo-78 Completed

so I guess it ended up in your spam trap or something?

-- Marc


_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

K. Peachey-2
On Sat, Oct 5, 2013 at 5:59 AM, Marc A. Pelletier <[hidden email]> wrote:
On 10/04/2013 12:15 PM, DaB. wrote:
> I got no mail, but MediaWiki logged me out and forced me to change my
> password (so I guess that I’m affected).

Well, the email was indeed sent to you:

2013-10-03 06:57:40 1VRcqy-0000fo-78 => [hidden email] <[hidden email]>
R=wiki_mail T=remote_smtp S=3309 H=wiki-mail.wikimedia.org
[208.80.152.133] C="250 OK id=1VRcqy-00086y-Gf" DT=0s
2013-10-03 06:57:40 1VRcqy-0000fo-78 Completed

so I guess it ended up in your spam trap or something?

-- Marc

Wait, You just released information on a email account that is attached to a user profile… 

_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

Marc-Andre
On 10/04/2013 04:59 PM, K. Peachey wrote:
> Wait, You just released information on a email account that is attached
> to a user profile…

I have, and it was a goof.  This is a known email for DaB, and one which
is attached to his public PGP key, so it didn't flag any warnings in my
head despite how the association was made.

DaB; please accept my apologies if that bugged you -- my intent was
obviously to help you debug the issue you had.

-- Marc


_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

DaB.-4
In reply to this post by Marc-Andre
Hello,
Am 04.10.2013 21:59, schrieb Marc A. Pelletier:
> so I guess it ended up in your spam trap or something?

no, and that’s for a simple reason: The eMail-address is invalid and
bounces (just re-tried for myself) – gmx decided somewhen last year that
this syntax is invalid (what is correct, but they didn’t care for years)
and does not longer accept mails for it.
Now two question: Why does WMF didn’t notice the bounce and why did WMF
not use my SUL-mail-address? And following question 1: How many other
bounces happened without notice?

And yes, I accept your apology. I also overreacted a bit, I’m sorry too.

BTW: While I have a PGP-key for that mail-address I did not use it for
years.

Sincerely,
DaB.



_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette

signature.asc (333 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Toolserver-announce] Security issue in Wikipedia projects

Marc-Andre
On 10/04/2013 05:34 PM, DaB. wrote:
> Now two question: Why does WMF didn’t notice the bounce and why did WMF
> not use my SUL-mail-address? And following question 1: How many other
> bounces happened without notice?

Your second question is easy: the mail was sent to the email address
associated with the exposed account.  I expect you have that email
address still on the project that was on the list, so this is where the
email was sent.

For your first question: we would notice mail being rejected by the MTA,
but not a bounce that came in after the fact.  gmx.de did accept the
mail for delivery, but sent a bounce asynchronously.  Since the from: of
the email points to OTRS, and OTRS rejects bounces to avoid starting
bounce loops, it got lost.

Sadly, we were under severe time pressure to warn as many users as
possible as quickly as possible, and it was not practical to construct a
mail system that was robust enough to handle edge cases.  Since there
was a second layer of protection (ending sessions and forcing password
changes) that would come into play even for editors that had invalid or
no email set, this was viewed as the right compromise to avoid delaying
warning users by days.

It's of course preferable if editors get the email before they wonder
why their session timed out (because, as you yourself experienced, it's
a little confusing to end up being forced to change your password
without warning) -- but safeguarding the security of users quickly has
priority.

-- Marc


_______________________________________________
Toolserver-l mailing list ([hidden email])
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette