HomePhabricator
Phame Blogs Wikimedia Security Team
Wikimedia Security Team
Security is a process, not a product.

Addressing bug from 2019: information about private, security-related Phab tickets

Written by Dsharpe on Jul 6 2020, 5:04 PM.

Today, we are writing to share the discovery and squashing of a bug that occurred earlier this year. This particular bug was also one of the rare instances in which we kept a Phabricator ticket private to address a security issue. To help address questions about when and why we make a security-related ticket private, we’re also sharing some insight into what happens when a private ticket about a security issue is closed.

Read more...

Changes to Security Team Workflow

Written by JBennett on Feb 3 2020, 8:07 PM.

In an effort to create a repeatable, streamlined process for consumption of security services the Security Team has been working on changes and improvements to our workflows. Much of this effort is an attempt to consolidate work intake for our team in order to more effectively communicate status, priority and scheduling. This is step 1 and we expect future changes as our tooling, capabilities and processes mature.

Read more...

14 January 2020 security incident on Phabricator

Written by Dsharpe on Jan 16 2020, 10:20 PM.

On 14 January 2020, staff at the Wikimedia Foundation discovered that a data file exported from the Wikimedia Phabricator installation, our engineering task and ticket tracking system, had been made publicly available. The file was leaked accidentally; there was no intrusion. We have no evidence that it was ever viewed or accessed. The Foundation's Security team immediately began investigating the incident and removing the related files. The data dump included limited non-public information such as private tickets, login access tokens, and the second factor of the two-factor authentication keys for Phabricator accounts. Passwords and full login information for Phabricator were not affected -- that information is stored in another, unaffected system.

Read more...

translatewiki.net security incident

Written by JBennett on Oct 10 2018, 8:14 PM.

What happened?
On September 24, 2018 a series of malicious edit attempts were detected on translatewiki.net. In general, these included attempts to inject malicious javascript, threatening messages and porn.

Read more...

Additional details on OurMine

Written by JBennett on Sep 7 2018, 6:37 PM.

The guard rails I'll be following will be around the original blog post created by Darian Patrick in November 2016. I'll do my best to fill in what gaps I can.

Read more...

Details of dictionary attack from May 2018

Written by JBennett on Sep 7 2018, 6:37 PM.

What happened?

Read more...
About Wikimedia Security Team

A place for the Wikimedia Security Team.