Re: [Wikimedia-l] Notification about problem identified with a recent CentralNotice banner

[Cristian Consonni]

Hi,

sorry for the late reply to this thread.

On 17/03/2018 08:24, Liam Wyatt wrote:
> “we encourage you to consider tools which block unwanted third-party
> scripts like the one provided by Facebook.”
> - where can I go to learn more about that specifically?

Here's two browser add-ons (free software) with similar behavior. By
default these extensions disable *all* Javascript and then the user can
enable Javascript from trusted sourced.

It would not have helped much in this situation if one listed Twitter
and Facebook as trusted sources (which most probably is true for all
Twitter and Facebook users). In general these extensions protect you
from Javascript when visiting new websites.

For Firefox you can use NoScript:
* website: https://noscript.net/
* add-on page: https://addons.mozilla.org/en-US/firefox/addon/noscript/

For Chromium/Chrome you can use ScriptSafe:
* website: https://github.com/andryou/scriptsafe
* add-on page:
https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en

> Thank you Greg, for having the unenviable task of being the bearer of bad
> news, and to all those involved in this; you had with the talent to
> identify and remove this code, and the principles to tell us about it.

I wanted to commend as well how the incident has been reported. Thank
you, Greg.

Cristian

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Notification about problem identified with a recent CentralNotice banner

[Gregory Varnum]

Thank you to folks that responded for your comments and questions.

There are staff from multiple departments within the Wikimedia Foundation 
reviewing both this incident and possible improvements to prevent similar 
incidents in the future. Since security discussions can sometimes reveal 
vulnerabilities that some observers may seek to exploit, those conversations 
are happening in private spaces for now (including a private Phabricator 
ticket). We are discussing how to best share additional findings and possible 
improvements.

We appreciate everyone’s patience and understanding.

-greg


> On Mar 17, 2018, at 10:55 AM, Strainu  wrote:
> 
> Thank you for letting us know early on. I would also want to see a 
> post-mortem on this and I hope the steps taken to mitigate the risk will be 
> consistent with the ones taken on the recent fa.wiki criptocurrency case.
> 
> Strainu
> 
> În 17 martie 2018 03:57:28 EET, Gregory Varnum  a 
> scris:
>> On 14 March and 15 March 2018, a CentralNotice banner appeared to some
>> logged-out users viewing English Wikipedia pages. The banner contained
>> JavaScript hosted by Facebook, which allowed Facebook to collect
>> traffic data from those who visited a page with a banner. The banner
>> was prepared by the Wikimedia Foundation. The Foundation turned the
>> banner off as soon as we learned how the script was running, and its
>> potential scope. We have also removed all references to the code in
>> question from CentralNotice on Meta-Wiki.
>> 
>> The code utilized in this banner was based on an unused prototype
>> created by an outside vendor. Because the prototype was never enabled,
>> the vendor’s prototype code was not subjected to our standard quality
>> assurance process. However, we made the mistake of reusing the code for
>> a different purpose, and implementing it based on recommendations in
>> documentation from Twitter and Facebook to improve the appearance of
>> shared links. At the time, our understanding was that the platforms
>> would only receive traffic data if the user clicked on the link.
>> Although this was true for Twitter, the Facebook code operated
>> differently.
>> 
>> We discovered the problematic link configurations during our ongoing
>> monitoring of live banners. The recommended code enhanced not only the
>> appearance of links, it also enhanced Facebook's ability to collect
>> information on people visiting non-Facebook sites. As soon as we
>> realized these banners were sharing information without even having to
>> click the link, we disabled them and began an investigation. Staff in
>> multiple departments are collaboratively reviewing the incident as well
>> as procedural and technical improvements to prevent future incidents.
>> 
>> While this sort of tracking is commonplace today across most of the
>> internet, it is not consistent with our policies. We are disappointed
>> that this type of hidden data collection is routinely recommended by
>> major platforms, without clearer disclosure.
>> 
>> These practices are why we all must regularly take routine steps to
>> maintain a secure computer and account. As the Wikimedia Foundation
>> continues to explore ways we can do that within Wikimedia's platform,
>> we encourage you to consider tools which block unwanted third-party
>> scripts like the one provided by Facebook.
>> 
>> We apologize for sending this late on a Friday (San Francisco time).
>> However, we wanted to provide this information as quickly as possible.
>> ___
>> Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: Wikimedia-l@lists.wikimedia.org
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> 
> 
> -- 
> Trimis de pe dispozitiv Android cu K-9 Mail. Rog scuzati mesajul scurt.
> ___
> Wikimedia-l mailing list, guidelines at: 
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
> 


___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Notification about problem identified with a recent CentralNotice banner

[Strainu]

Thank you for letting us know early on. I would also want to see a post-mortem 
on this and I hope the steps taken to mitigate the risk will be consistent with 
the ones taken on the recent fa.wiki criptocurrency case.

Strainu

În 17 martie 2018 03:57:28 EET, Gregory Varnum  a scris:
>On 14 March and 15 March 2018, a CentralNotice banner appeared to some
>logged-out users viewing English Wikipedia pages. The banner contained
>JavaScript hosted by Facebook, which allowed Facebook to collect
>traffic data from those who visited a page with a banner. The banner
>was prepared by the Wikimedia Foundation. The Foundation turned the
>banner off as soon as we learned how the script was running, and its
>potential scope. We have also removed all references to the code in
>question from CentralNotice on Meta-Wiki.
>
>The code utilized in this banner was based on an unused prototype
>created by an outside vendor. Because the prototype was never enabled,
>the vendor’s prototype code was not subjected to our standard quality
>assurance process. However, we made the mistake of reusing the code for
>a different purpose, and implementing it based on recommendations in
>documentation from Twitter and Facebook to improve the appearance of
>shared links. At the time, our understanding was that the platforms
>would only receive traffic data if the user clicked on the link.
>Although this was true for Twitter, the Facebook code operated
>differently.
>
>We discovered the problematic link configurations during our ongoing
>monitoring of live banners. The recommended code enhanced not only the
>appearance of links, it also enhanced Facebook's ability to collect
>information on people visiting non-Facebook sites. As soon as we
>realized these banners were sharing information without even having to
>click the link, we disabled them and began an investigation. Staff in
>multiple departments are collaboratively reviewing the incident as well
>as procedural and technical improvements to prevent future incidents.
>
>While this sort of tracking is commonplace today across most of the
>internet, it is not consistent with our policies. We are disappointed
>that this type of hidden data collection is routinely recommended by
>major platforms, without clearer disclosure.
>
>These practices are why we all must regularly take routine steps to
>maintain a secure computer and account. As the Wikimedia Foundation
>continues to explore ways we can do that within Wikimedia's platform,
>we encourage you to consider tools which block unwanted third-party
>scripts like the one provided by Facebook.
>
>We apologize for sending this late on a Friday (San Francisco time).
>However, we wanted to provide this information as quickly as possible.
>___
>Wikimedia-l mailing list, guidelines at:
>https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>https://meta.wikimedia.org/wiki/Wikimedia-l
>New messages to: Wikimedia-l@lists.wikimedia.org
>Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>

-- 
Trimis de pe dispozitiv Android cu K-9 Mail. Rog scuzati mesajul scurt.
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Notification about problem identified with a recent CentralNotice banner

[James Salsman]

https://disconnect.me works well for this with both AdBlock (which can
do the same thing by itself with its advanced options) and AdBlock
Plus (which can't, and is a completely different product.)



On Sat, Mar 17, 2018 at 1:24 AM, Liam Wyatt  wrote:
> How insidious!
> “we encourage you to consider tools which block unwanted third-party
> scripts like the one provided by Facebook.”
> - where can I go to learn more about that specifically?
>
> Thank you Greg, for having the unenviable task of being the bearer of bad
> news, and to all those involved in this; you had with the talent to
> identify and remove this code, and the principles to tell us about it.
>
>
>
> On Sat, 17 Mar 2018 at 04:22, Michael Peel  wrote:
>
>> Hi Gregory,
>>
>> Thank you and the WMF for sharing this information so quickly after the
>> event. It’s regrettable that this happened, but openness is the best way
>> forward here. The WMF is being exceptional both with spotting this kind of
>> issue so quickly and being publicly open about the fact that it happened.
>>
>> Is there a phabricator ticket that is tracking this issue and/or a wiki
>> page that documents the issue and the steps that will be taken to avoid it
>> happening again in the future?
>>
>> Thanks,
>> Mike
>>
>> > On 16 Mar 2018, at 22:57, Gregory Varnum  wrote:
>> >
>> > On 14 March and 15 March 2018, a CentralNotice banner appeared to some
>> logged-out users viewing English Wikipedia pages. The banner contained
>> JavaScript hosted by Facebook, which allowed Facebook to collect traffic
>> data from those who visited a page with a banner. The banner was prepared
>> by the Wikimedia Foundation. The Foundation turned the banner off as soon
>> as we learned how the script was running, and its potential scope. We have
>> also removed all references to the code in question from CentralNotice on
>> Meta-Wiki.
>> >
>> > The code utilized in this banner was based on an unused prototype
>> created by an outside vendor. Because the prototype was never enabled, the
>> vendor’s prototype code was not subjected to our standard quality assurance
>> process. However, we made the mistake of reusing the code for a different
>> purpose, and implementing it based on recommendations in documentation from
>> Twitter and Facebook to improve the appearance of shared links. At the
>> time, our understanding was that the platforms would only receive traffic
>> data if the user clicked on the link. Although this was true for Twitter,
>> the Facebook code operated differently.
>> >
>> > We discovered the problematic link configurations during our ongoing
>> monitoring of live banners. The recommended code enhanced not only the
>> appearance of links, it also enhanced Facebook's ability to collect
>> information on people visiting non-Facebook sites. As soon as we realized
>> these banners were sharing information without even having to click the
>> link, we disabled them and began an investigation. Staff in multiple
>> departments are collaboratively reviewing the incident as well as
>> procedural and technical improvements to prevent future incidents.
>> >
>> > While this sort of tracking is commonplace today across most of the
>> internet, it is not consistent with our policies. We are disappointed that
>> this type of hidden data collection is routinely recommended by major
>> platforms, without clearer disclosure.
>> >
>> > These practices are why we all must regularly take routine steps to
>> maintain a secure computer and account. As the Wikimedia Foundation
>> continues to explore ways we can do that within Wikimedia's platform, we
>> encourage you to consider tools which block unwanted third-party scripts
>> like the one provided by Facebook.
>> >
>> > We apologize for sending this late on a Friday (San Francisco time).
>> However, we wanted to provide this information as quickly as possible.
>> > ___
>> > Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> > New messages to: Wikimedia-l@lists.wikimedia.org
>> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> 
>>
>>
>> ___
>> Wikimedia-l mailing list, guidelines at:
>> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
>> https://meta.wikimedia.org/wiki/Wikimedia-l
>> New messages to: Wikimedia-l@lists.wikimedia.org
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> 
> ___
> Wikimedia-l mailing list, guidelines at: 
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: 

Re: [Wikimedia-l] Notification about problem identified with a recent CentralNotice banner

[Michael Peel]

Hi Gregory,

Thank you and the WMF for sharing this information so quickly after the event. 
It’s regrettable that this happened, but openness is the best way forward here. 
The WMF is being exceptional both with spotting this kind of issue so quickly 
and being publicly open about the fact that it happened.

Is there a phabricator ticket that is tracking this issue and/or a wiki page 
that documents the issue and the steps that will be taken to avoid it happening 
again in the future?

Thanks,
Mike

> On 16 Mar 2018, at 22:57, Gregory Varnum  wrote:
> 
> On 14 March and 15 March 2018, a CentralNotice banner appeared to some 
> logged-out users viewing English Wikipedia pages. The banner contained 
> JavaScript hosted by Facebook, which allowed Facebook to collect traffic data 
> from those who visited a page with a banner. The banner was prepared by the 
> Wikimedia Foundation. The Foundation turned the banner off as soon as we 
> learned how the script was running, and its potential scope. We have also 
> removed all references to the code in question from CentralNotice on 
> Meta-Wiki.
> 
> The code utilized in this banner was based on an unused prototype created by 
> an outside vendor. Because the prototype was never enabled, the vendor’s 
> prototype code was not subjected to our standard quality assurance process. 
> However, we made the mistake of reusing the code for a different purpose, and 
> implementing it based on recommendations in documentation from Twitter and 
> Facebook to improve the appearance of shared links. At the time, our 
> understanding was that the platforms would only receive traffic data if the 
> user clicked on the link. Although this was true for Twitter, the Facebook 
> code operated differently.
> 
> We discovered the problematic link configurations during our ongoing 
> monitoring of live banners. The recommended code enhanced not only the 
> appearance of links, it also enhanced Facebook's ability to collect 
> information on people visiting non-Facebook sites. As soon as we realized 
> these banners were sharing information without even having to click the link, 
> we disabled them and began an investigation. Staff in multiple departments 
> are collaboratively reviewing the incident as well as procedural and 
> technical improvements to prevent future incidents.
> 
> While this sort of tracking is commonplace today across most of the internet, 
> it is not consistent with our policies. We are disappointed that this type of 
> hidden data collection is routinely recommended by major platforms, without 
> clearer disclosure.
> 
> These practices are why we all must regularly take routine steps to maintain 
> a secure computer and account. As the Wikimedia Foundation continues to 
> explore ways we can do that within Wikimedia's platform, we encourage you to 
> consider tools which block unwanted third-party scripts like the one provided 
> by Facebook.
> 
> We apologize for sending this late on a Friday (San Francisco time). However, 
> we wanted to provide this information as quickly as possible.
> ___
> Wikimedia-l mailing list, guidelines at: 
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
> https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
> 


___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

[Wikimedia-l] Notification about problem identified with a recent CentralNotice banner

[Gregory Varnum]

On 14 March and 15 March 2018, a CentralNotice banner appeared to some 
logged-out users viewing English Wikipedia pages. The banner contained 
JavaScript hosted by Facebook, which allowed Facebook to collect traffic data 
from those who visited a page with a banner. The banner was prepared by the 
Wikimedia Foundation. The Foundation turned the banner off as soon as we 
learned how the script was running, and its potential scope. We have also 
removed all references to the code in question from CentralNotice on Meta-Wiki.

The code utilized in this banner was based on an unused prototype created by an 
outside vendor. Because the prototype was never enabled, the vendor’s prototype 
code was not subjected to our standard quality assurance process. However, we 
made the mistake of reusing the code for a different purpose, and implementing 
it based on recommendations in documentation from Twitter and Facebook to 
improve the appearance of shared links. At the time, our understanding was that 
the platforms would only receive traffic data if the user clicked on the link. 
Although this was true for Twitter, the Facebook code operated differently.

We discovered the problematic link configurations during our ongoing monitoring 
of live banners. The recommended code enhanced not only the appearance of 
links, it also enhanced Facebook's ability to collect information on people 
visiting non-Facebook sites. As soon as we realized these banners were sharing 
information without even having to click the link, we disabled them and began 
an investigation. Staff in multiple departments are collaboratively reviewing 
the incident as well as procedural and technical improvements to prevent future 
incidents.

While this sort of tracking is commonplace today across most of the internet, 
it is not consistent with our policies. We are disappointed that this type of 
hidden data collection is routinely recommended by major platforms, without 
clearer disclosure.

These practices are why we all must regularly take routine steps to maintain a 
secure computer and account. As the Wikimedia Foundation continues to explore 
ways we can do that within Wikimedia's platform, we encourage you to consider 
tools which block unwanted third-party scripts like the one provided by 
Facebook.

We apologize for sending this late on a Friday (San Francisco time). However, 
we wanted to provide this information as quickly as possible.
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,