2020-06-11 Security Disclosure

From Meta
Jump to navigation Jump to search

On June 10th, 2020 a user of the Miraheze project discovered a security issue that affected several wikis hosted by Miraheze. A user was able to access the private information of a user which contained IPs on users who triggered the AbuseFilter. We have rectified this by blacklisting the permission that allowed access to the private information. We have also immediately conducted an investigation to find out if access had been gained to IPs of any user.

In accordance with our Privacy Policy and the General Data Protection Regulation ("GDPR"), IPs are treated as private information.

We have conducted an internal investigation which revealed that we didn't log who accessed the private information on the 105 wikis, where it affects users. We cannot say for certain that someone accessed the private information on the users. We countered this by logging when users access the private information, and also requiring a reason for visiting it.

While IPs have potentially been exposed, we have no evidence that users actually used the permission to look at the private information.

If any user would like their personal information removed or to know what personal information we have stored, please visit Special:Preferences or send an email to privacy at miraheze.org referring to this incident. Any further questions that a user wishes to keep private can be sent to sre at miraheze.org and we will respond in due course.

--
paladox,
Miraheze Site Reliability Engineer