Page MenuHomePhabricator
Create Task
Maniphest T313125

T166179 has attachments that perhaps shouldn't have been made public
Closed, ResolvedPublicSecurity
Actions

Description

T166179 originally was a procurement task, though it was made public by @RobH. Its PDF attachments contain information that, per T302870#8024857, perhaps shouldn't have been made available for public access: "data center addresses", "cage numbers", invoices and price quotes for equipment, etc.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

PleaseStand created this task.Jul 15 2022, 1:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 15 2022, 1:30 PM
Urbanecm added a project: SRE.Jul 15 2022, 1:42 PM
Urbanecm subscribed.

Tagging SRE to ensure they're aware of this task.

sbassett added a project: Vuln-Infoleak.Jul 15 2022, 2:39 PM
RobH added a comment.EditedJul 15 2022, 3:29 PM

easily fixed, shifted it back into S4 and its now hidden again.

Cannot help if anyone saw the PDF in the meantime, but each datacenter site is a secure facility so it should be ok in terms of address and cage disclosure. Pricing is non-ideal to disclose but not much can be done about that and if it was only packing slips then usually no pricing info.

RobH unsubscribed.Jul 15 2022, 3:29 PM
Jcross subscribed.Jul 15 2022, 4:15 PM
This comment was removed by Jcross.
sbassett added a project: WMF-Legal.Jul 18 2022, 4:28 PM
sbassett added subscribers: RobH, sbassett.

No need to directly engage WMF-Legal on this. The issue appears to be resolved by @RobH, so making this task public now.

Restricted Application added a comment. · View Herald TranscriptJul 18 2022, 4:28 PM

As the WMF-Legal project tag was added to this task, some general information to avoid wrong expectations:
Please note that public tasks in Wikimedia Phabricator are in general not a place where to expect feedback from the Legal Team of the Wikimedia Foundation due to the scope of the team and/or nature of legal topics. See the project tag description.
Please see https://meta.wikimedia.org/wiki/Legal for when and how to contact the Legal Team. Thanks!

sbassett closed this task as Resolved.Jul 18 2022, 4:28 PM
sbassett assigned this task to RobH.
sbassett triaged this task as Low priority.
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL