Everyone on Wikimedia wikis will shortly be logged out and will have to log back in again.
We are resetting all sessions because we believe that, due to a configuration error, session cookies may have been sent in cacheable responses. Some users reported that they saw the site as if they were logged in as someone else. We believe that the number of affected users was very small. However, we believe that resetting all sessions is a prudent measure to ensure that the impact is limited.
There are several layers of protection against something like this happening, and we don't yet know how all of them failed, but we have made a configuration change which should be sufficient to prevent it from happening again.
-- Tim Starling
Thanks Tim,
1. Does “saw the site” mean users actually had full or partial access to the accounts of other users, or simply were viewing a cached version of the site that appeared as if they were logged in as someone else? How many users were impacted?
2. Does the WMF hold incident review meetings and publish reports about what steps are taken to prevent repeat incidents with the same root cause?
On Thu, Jun 25, 2020 at 7:44 PM Tim Starling tstarling@wikimedia.org wrote:
Everyone on Wikimedia wikis will shortly be logged out and will have to log back in again.
We are resetting all sessions because we believe that, due to a configuration error, session cookies may have been sent in cacheable responses. Some users reported that they saw the site as if they were logged in as someone else. We believe that the number of affected users was very small. However, we believe that resetting all sessions is a prudent measure to ensure that the impact is limited.
There are several layers of protection against something like this happening, and we don't yet know how all of them failed, but we have made a configuration change which should be sufficient to prevent it from happening again.
-- Tim Starling
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I replied on wikitech-l. I suggest continuing the discussion there.
-- Tim Starling
On 26/6/20 3:26 pm, Steven Walling wrote:
Thanks Tim,
- Does “saw the site” mean users actually had full or partial
access to the accounts of other users, or simply were viewing a cached version of the site that appeared as if they were logged in as someone else? How many users were impacted?
- Does the WMF hold incident review meetings and publish reports
about what steps are taken to prevent repeat incidents with the same root cause?
On Thu, Jun 25, 2020 at 7:44 PM Tim Starling <tstarling@wikimedia.org mailto:tstarling@wikimedia.org> wrote:
Everyone on Wikimedia wikis will shortly be logged out and will have to log back in again. We are resetting all sessions because we believe that, due to a configuration error, session cookies may have been sent in cacheable responses. Some users reported that they saw the site as if they were logged in as someone else. We believe that the number of affected users was very small. However, we believe that resetting all sessions is a prudent measure to ensure that the impact is limited. There are several layers of protection against something like this happening, and we don't yet know how all of them failed, but we have made a configuration change which should be sufficient to prevent it from happening again. -- Tim Starling _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org <mailto:Wikitech-l@lists.wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-ambassadors mailing list Wikitech-ambassadors@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors
Everyone on Wikimedia wikis will shortly be logged out and will have to log back in again.
The protections we deployed on June 26 failed to cover some cases. We have updated the traffic layer today to also protect against these cases.
-- Timo Tijhof
On Fri, Jun 26, 2020 at 3:44 AM Tim Starling tstarling@wikimedia.org wrote:
Everyone on Wikimedia wikis will shortly be logged out and will have to log back in again.
We are resetting all sessions because we believe that, due to a configuration error, session cookies may have been sent in cacheable responses. Some users reported that they saw the site as if they were logged in as someone else. We believe that the number of affected users was very small. However, we believe that resetting all sessions is a prudent measure to ensure that the impact is limited.
There are several layers of protection against something like this happening, and we don't yet know how all of them failed, but we have made a configuration change which should be sufficient to prevent it from happening again.
-- Tim Starling
Wikitech-ambassadors mailing list Wikitech-ambassadors@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors
wikitech-ambassadors@lists.wikimedia.org