2018-08-26 Security Disclosure

On August 26th, 2018 we were informed of a potential security issue on one of our wikis. Within minutes of responding to the report, we were able to confirm that a script activated by responding to a poll on a wiki was sending sensitive information to a third party external site potentially ran by one of the members of the community. While we are still unsure of the intentions, the script did send usernames, IP address, user agents and CSRF (Cross-Site Request Forgery) tokens which may or may not have been stored by the receiver.

Naturally, handling of IP address and user agents are restricted by Miraheze's Privacy Policy and are governed by strict handling guidelines internally by staff. The importance of the CSRF token is that it could be used to forge requests to Miraheze giving the impression the request came from the account owner and not someone who does not have the authority to make the request. Tokens are associated to a login session and as a precaution we have revoked all login tokens meaning all previous CSRF tokens will no longer work.

While there is no need to change your password as a result of this incident, it is strongly recommended all users use a strong and secure password and that they regularly change it. Miraheze also provides a second-factor authentication (2FA/Multi-Auth) implementation that users can set up by going to this page.

Further, we have implemented a new content security policy which restricts the type of content we load on our services and which external services are able to access our user's information from browsers stored within the Miraheze domain. This restriction currently is rather strict as we are unsure of the content we load and our communities load. If you experience an issue or anything abnormal changes, please contact us and we will try our best to resolve the issue.

The incident was brought to our attention by a trusted volunteer in a private venue and the importance of what they had found was made clear immediately by the user. We rely on users' careful and thoughtful analysis in what they believe is a potential security issue and strongly advocate a working practise of responsible disclosure. Please read this page for more information on how we like users to report security issues to us.

If any user would like their personal information removed or to know what personal information we have stored, please send an email to privacy@undefinedmiraheze.org referring to this incident. Any further questions that a user wishes to keep private can be sent to staff@undefinedmiraheze.org and we will respond in due course.

On behalf of Miraheze, John Lewis Miraheze Site Reliabilty Engineering