2019-01-25 Security Disclosure

From Meta
Jump to navigation Jump to search

On January 24th, 2019 a trusted volunteer of the Miraheze project discovered a security issue that affected several wikis hosted by Miraheze. By accessing a certain page on a wiki with the 'SocialProfile' extension enabled, an administrator could retrieve the email address of any user who a) was registered on that wiki and b) had an email address tied to their user account. Also, an administrator could potentially change the email address of other user accounts to gain access to their accounts. As a countermeasure we have immediately fixed the privacy leak and conducted an investigation to find out if access had been gained to the personal information of any user.

In accordance with our Privacy Policy and the General Data Protection Regulation ("GDPR"), email addresses are treated as private information. MediaWiki, the software we use to host all wikis, keeps email addresses strictly private and provides special pages to send emails to others without disclosing their email addresses. Besides, the ability to change others' email addresses is highly restricted, as this ability could be exploited to send reset passwords of other users and gain access to their user accounts.

We have conducted an internal investigation to find out if someone has exploited this security issue to gain access and/or change the personal information of any user on the project. There is absolutely no evidence that suggests this issue was exploited to change others' email addresses and we have no evidence either that suggests someone would have exploited this issue en masse.

While there is no need to change your password, as a result of this incident, it is strongly recommended all users use a strong and secure password and that they regularly change it. Miraheze also provides a second-factor authentication (2FA/Multi-Auth) implementation that users can set up by going to this page.

If any user would like their personal information removed or to know what personal information we have stored, please visit Special:Preferences or send an email to privacy(at)miraheze.org referring to this incident. Any further questions that a user wishes to keep private can be sent to staff(at)miraheze.org and we will respond in due course.

Miraheze Operations