2018-08-26 Security Disclosure
On August 26th, 2018 we were informed of a potential security issue on one of our wikis. Within minutes of responding to the report, we were able to confirm that a script activated by responding to a poll on a wiki was sending sensitive information to a third party external site potentially ran by one of the members of the community. While we are still unsure of the intentions, the script did send usernames, IP address, user agents and CSRF (Cross-Site Request Forgery) tokens which may or may not have been stored by the receiver.
While there is no need to change your password as a result of this incident, it is strongly recommended all users use a strong and secure password and that they regularly change it. Miraheze also provides a second-factor authentication (2FA/Multi-Auth) implementation that users can set up by going to this page.
Further, we have implemented a new content security policy which restricts the type of content we load on our services and which external services are able to access our user's information from browsers stored within the Miraheze domain. This restriction currently is rather strict as we are unsure of the content we load and our communities load. If you experience an issue or anything abnormal changes, please contact us and we will try our best to resolve the issue.
The incident was brought to our attention by a trusted volunteer in a private venue and the importance of what they had found was made clear immediately by the user. We rely on users' careful and thoughtful analysis in what they believe is a potential security issue and strongly advocate a working practise of responsible disclosure. Please read this page for more information on how we like users to report security issues to us.
If any user would like their personal information removed or to know what personal information we have stored, please send an email to privacymiraheze.org referring to this incident. Any further questions that a user wishes to keep private can be sent to staffmiraheze.org and we will respond in due course.
On behalf of Miraheze,