Page MenuHomePhabricator

Donation thank you page includes non-secure images
Closed, ResolvedPublic

Description

Author: jpaperchase

Description:
I do not understand all the technical jargon on wikimedia web pages. I understand none of it. I submitted a donation online from my credit card and a warning was generated by my computer, with Windows 7 that stated that the donation process was not secure and did I wish to continue. I attempted to cancel the donation and it occured anyway. Is my credit card data, my computer or anything else at danger now because of this?

James Hamilton


Version: unspecified
Severity: trivial

Details

Reference
bz26421

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 11:15 PM
bzimport set Reference to bz26421.
bzimport added a subscriber: Unknown Object (MLST).

(I'm just a random volunteer who saw this. I am not associated with the fundraiser people in any way. Take what I say with a grain of salt)

It is very unlikely that anything is in danger. From the sounds of it the unsecure part happened after the donation part (As otherwise cancelling would have worked), so the donation was probably secure.

I'm filing this under central notice component, since although that isn't the right place, i know the fundraiser people monitor that component, so hopefully someone more knowledgeable than me will find it.

(In reply to comment #0)

I do not understand all the technical jargon on wikimedia web pages. I
understand none of it. I submitted a donation online from my credit card and a
warning was generated by my computer, with Windows 7 that stated that the
donation process was not secure and did I wish to continue. I attempted to
cancel the donation and it occured anyway. Is my credit card data, my computer
or anything else at danger now because of this?

James Hamilton

It is highly unlikely that any of your personal data has been compromised. All donations are processed by PayPal through their payment gateway Payflow Pro as a way to securely process online credit card transactions. In addition, our tech team does regular security checking to verify that everything stays secure.

Our donation portal (the page where you entered the donation amount) and our Thank You page (after you had completed your donation) do not collect any personal information and therefore do not need to be secure. However, the page where you entered your credit card number and billing information is secured with industry-standard 256-bit encryption.

I hope this answers your question. If you have any further questions or comments, please feel free to contact us at donate@wikimedia.org.

Alex Zariv
Associate Community Officer
Wikimedia Foundation

This is actually a valid bug, but not as dire as the description. The secure version of the Thank You page currently includes non-secure images since we don't have any way to serve images via https currently. So this is really an ops issue rather than a fundraising team issue.

https://secure.wikimedia.org/wikipedia/foundation/wiki/Template:2010/Thankyou

Just to clarify, the actual donation pages themselves are completely secure since the images are served off the payments server. We could theoretically host the Thank You page on the payments server as well (rather than on the cluster) but this would mean severely limiting who had access to editing it. The current plan is to try to get ops to fix the https services for the cluster instead.

  • This bug has been marked as a duplicate of bug 16822 ***