2020-12-23 Security Disclosure

Update (2020-12-26)
Hello,

Miraheze was made aware of a serious vulnerability in the Widgets extension that would allow attackers to steal private information and compromise Miraheze servers (see previous announcement below). This issue had been patched earlier, but without realising the impact of this issue yet.

After realising the impact of this issue, Miraheze disabled the extension right away and started an investigation immediately. No suspiscious activity was noticed and therefore there is no evidence this vulnerability was abused. However, given the nature of this vulnerability, we did not find the risks of taking zero actions acceptable. In order to be on the safe side, we strongly recommend that all users change their Miraheze passwords and reset their two-factor authentification (if used) as soon as possible.

Please know that the security of your information and your privacy are very important to us. The Board has filed a report with the Information Commissioner's Office (ICO) on December 25th. Miraheze's Engineers have been working for days and nights to ensure any remnants of this incident are removed from our servers. The Widgets extension will not be enabled again, but safer alternatives are available. Miraheze will write a postmortem when this incident is over. In the light of our commitment to transparency, relevant actionables and lessons may be shared with you for community feedback.

If you have any questions regarding this incident, please ask on the talk page or email tech@undefinedmiraheze.org. Formal requests in line with the General Data Protection Regulation (GDPR) can be sent to privacy@undefinedmiraheze.org.

Miraheze wishes you a safe New Year.

Thanks,

Miraheze, Technical Team

Previous announcement (2020-12-23)
Hello,

We would like to let you why Widgets is disabled and explain the maintenance that happened yesterday. Miraheze was made aware of a serious vulnerability in the Widgets extension that would allow attackers to steal private information and compromise Miraheze servers. This issue had been patched earlier, but without realising the impact of this issue.

On realising the impact of this vulnerability, we have taken precautions immediately to ensure no one could attack Miraheze's wikis or users. These actions was done during the emergency maintenance window, hence the performance issues you might have noticed. Users reported issues cookie banners or features using OAuth as well, these issues were the result of the maintenance but have been fixed since.

We are continuing to work to ensure no data was compromised but at this time have no reason to believe any information has been compromised. The Widgets extension will be kept disabled until further notice. We will update you once our full audit is complete or if this changes.

If you have any questions, please ask on the talk page or email tech[at]miraheze.org.

Thanks, Miraheze Technical Team.