upvote

points

by Wikipedianon7 hours ago |
comments
upvoteby 256_7 hours ago|
next
[-]
Maybe somewhat unrelated, but I'm reminded of the fact that people have deleted the main page on a few occasions: https://en.wikipedia.org/wiki/Wikipedia:Don%27t_delete_the_m...
reply
upvoteby gucci-on-fleek4 hours ago|
prev|
next
[-]
> Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review.

True, but there aren't very many interface administrators. It looks like there are only 137 right now [0], which I agree is probably more than there should be, but that's still a relatively small number compared to the total number of active users. But there are lots of bots/duplicates in that list too, so the real number is likely quite a bit smaller. Plus, most of the users in that list are employed by Wikimedia, which presumably means that they're fairly well vetted.

[0]: https://en.wikipedia.org/w/api.php?action=query&format=json&...

reply
upvoteby Wikipedianon1 hours ago|
parent|
next
[-]
There shouldn't be any interface admins as such. There should be an enforced review process for changes to global JavaScript so stuff like this can't happen.

I'm sure there are Google engineers who can push changes to prod and bypass CI but that isn't a normal way to handle infra.

reply
upvoteby notRobot2 hours ago|
parent|
prev|
[-]
There are 15 interface admins as per these links

https://en.wikipedia.org/wiki/Wikipedia:Interface_administra...

https://en.wikipedia.org/wiki/Special:ListUsers/interface-ad...

reply
upvoteby gucci-on-fleek2 hours ago|
parent|
[-]
Those are the English Wikipedia-only users, but you also need to include the "global" users (which I think were the source of this specific compromise?). Search this page [0] for "editsitejs" to see the lists of global users with this permission.

[0]: https://en.wikipedia.org/wiki/Special:GlobalGroupPermissions

reply
upvoteby RGamma5 hours ago|
prev|
next
[-]
Seems like a good time to donate one's resources to fix it. The internet is super hostile these days. If Wikipedia falls... well...
reply
upvoteby Wikipedianon4 hours ago|
parent|
next
[-]
It's a political issue. Editors are unwilling or unable to contribute to development of the features they need to edit.

Unfortunately, Wikipedia is run on insecure user scripts created by volunteers that tend to be under the age of 18.

There might be more editors trying to resume boost if editing Wikipedia under your real name didn't invite endless harassment.

reply
upvoteby diath2 hours ago|
parent|
prev|
next
[-]
They have 100s of millions USD, they will be fine: https://upload.wikimedia.org/wikipedia/foundation/3/3f/Wikim... (page 5-7).
reply
upvoteby tick_tock_tick4 hours ago|
parent|
prev|
next
[-]
Wikipedia doesn't even spend donation of Wikipedia anymore.
reply
upvoteby logophobia5 hours ago|
parent|
prev|
next
[-]
Sounds more like a political issue this. Can't buy your way out of that.
reply
upvoteby PsylentKnight5 hours ago|
parent|
prev|
[-]
My understanding is that Wikipedia receives more donations than they need, surely they have the resources to fix it themselves?
reply
upvoteby noosphr5 hours ago|
parent|
[-]
You would first need to realzie it's a problem.
reply
upvoteby krater235 hours ago|
parent|
[-]
Maybe this is the reason for this worm. Someone is angry because they don't got it in another way...
reply
upvoteby jibal4 hours ago|
parent|
[-]
The worm is a two year old script from the Russian Wiki that was grabbed randomly for a test by a stupid admin running unsandboxed with full privileges, so no.
reply
upvoteby _verandaguy5 hours ago|
prev|
next
[-]

    > Based on the fact user scripts are globally disabled now I'm guessing this was a vector.
Disabled at which level?

Browsers still allow for user scripts via tools like TamperMonkey and GreaseMonkey, and that's not enforceable (and arguably, not even trivially visible) to sites, including Wikipedia.

As I say that out loud, I figure there's a separate ecosystem of Wikipedia-specific user scripts, but arguably the same problem exists.

reply
upvoteby howenterprisey5 hours ago|
parent|
next
[-]
Yeah, wikipedia has its own user script system, and that was what was disabled.
reply
upvoteby Wikipedianon4 hours ago|
parent|
prev|
next
[-]
The sitewide JavaScript/CSS is an editable Wiki page.

You can also upload scripts to be shared and executed by other users.

reply
upvoteby karel-3d4 hours ago|
parent|
prev|
[-]
This is apparently not done browser side but server side.

As in, user can upload whatever they wish and it will be shown to them and ran, as JS, fully privileged and all.

reply
upvoteby AlienRobot3 hours ago|
prev|
next
[-]
For reference

>There are currently 15 interface administrators (including two bots).

https://en.wikipedia.org/wiki/Wikipedia:Interface_administra...

reply
upvoteby chris_wot7 hours ago|
prev|
[-]
[flagged]
reply
upvoteby alphager7 hours ago|
parent|
next
[-]
Most admins on Wikipedia are competent in areas outside of webdev and security.
reply
upvoteby formerly_proven6 hours ago|
parent|
prev|
[-]
Wikipedia admins are not IT admins, they're more like forum moderators or admins on a free phpBB 2 hosting service in 2005. They don't have "admin" access to backend systems. Those are the WMF sysadmins.
reply
upvoteby Wikipedianon4 hours ago|
parent|
[-]
This is half true, because Wikipedia admins had the ability to edit sitewide JavaScript until 2018.

A certain number of "community" admins maintain that right to this day after it was realized this was a massive security hole.

reply