2020-12-23 Security Disclosure

Hello,

We would like to let you why Widgets is disabled and explain the maintenance that happened yesterday. Miraheze was made aware of a serious vulnerability in the Widgets extension that would allow attackers to steal private information and compromise Miraheze servers. This issue had been patched earlier, but without realising the impact of this issue.

On realising the impact of this vulnerability, we have taken precautions immediately to ensure no one could attack Miraheze's wikis or users. These actions was done during the emergency maintenance window, hence the performance issues you might have noticed. Users reported issues cookie banners or features using OAuth as well, these issues were the result of the maintenance but have been fixed since.

We are continuing to work to ensure no data was compromised but at this time have no reason to believe any information has been compromised. The Widgets extension will be kept disabled until further notice. We will update you once our full audit is complete or if this changes.

If you have any questions, please ask on the talk page or email tech[at]miraheze.org

Thanks, Miraheze Technical Team.