Thank you for letting us know early on. I would also want to see a post-mortem on this and I hope the steps taken to mitigate the risk will be consistent with the ones taken on the recent fa.wiki criptocurrency case.
Strainu În 17 martie 2018 03:57:28 EET, Gregory Varnum <gvar...@wikimedia.org> a scris: >On 14 March and 15 March 2018, a CentralNotice banner appeared to some >logged-out users viewing English Wikipedia pages. The banner contained >JavaScript hosted by Facebook, which allowed Facebook to collect >traffic data from those who visited a page with a banner. The banner >was prepared by the Wikimedia Foundation. The Foundation turned the >banner off as soon as we learned how the script was running, and its >potential scope. We have also removed all references to the code in >question from CentralNotice on Meta-Wiki. > >The code utilized in this banner was based on an unused prototype >created by an outside vendor. Because the prototype was never enabled, >the vendor’s prototype code was not subjected to our standard quality >assurance process. However, we made the mistake of reusing the code for >a different purpose, and implementing it based on recommendations in >documentation from Twitter and Facebook to improve the appearance of >shared links. At the time, our understanding was that the platforms >would only receive traffic data if the user clicked on the link. >Although this was true for Twitter, the Facebook code operated >differently. > >We discovered the problematic link configurations during our ongoing >monitoring of live banners. The recommended code enhanced not only the >appearance of links, it also enhanced Facebook's ability to collect >information on people visiting non-Facebook sites. As soon as we >realized these banners were sharing information without even having to >click the link, we disabled them and began an investigation. Staff in >multiple departments are collaboratively reviewing the incident as well >as procedural and technical improvements to prevent future incidents. > >While this sort of tracking is commonplace today across most of the >internet, it is not consistent with our policies. We are disappointed >that this type of hidden data collection is routinely recommended by >major platforms, without clearer disclosure. > >These practices are why we all must regularly take routine steps to >maintain a secure computer and account. As the Wikimedia Foundation >continues to explore ways we can do that within Wikimedia's platform, >we encourage you to consider tools which block unwanted third-party >scripts like the one provided by Facebook. > >We apologize for sending this late on a Friday (San Francisco time). >However, we wanted to provide this information as quickly as possible. >_______________________________________________ >Wikimedia-l mailing list, guidelines at: >https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and >https://meta.wikimedia.org/wiki/Wikimedia-l >New messages to: Wikimedia-l@lists.wikimedia.org >Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, ><mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> -- Trimis de pe dispozitiv Android cu K-9 Mail. Rog scuzati mesajul scurt. _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>