14 January 2020 security incident on Phabricator

List overview All Threads
Download

newer

older

MediaWiki 1.32 is End of Life

MediaWiki Language Extension...

David Sharpe

16 Jan 2020 16 Jan '20

3:24 p.m.

Hello, On 14 January 2020, staff at the Wikimedia Foundation discovered that a data file exported from the Wikimedia Phabricator installation, our engineering task and ticket tracking system, had been made publicly available. The file was leaked accidentally; there was no intrusion. We have no evidence that it was ever viewed or accessed. The Foundation's Security team immediately began investigating the incident and removing the related files. The data dump included limited non-public information such as private tickets, login access tokens, and the second factor of the two-factor authentication keys for Phabricator accounts. Passwords and full login information for Phabricator were not affected -- that information is stored in another, unaffected system. The Security team has investigated and assesses that there is no known impact from this incident. However, out of an abundance of caution, we are resetting all Two-Factor Authentication keys for Phabricator and invalidating the exposed login access tokens. Additionally, we continue to encourage people to engage in online security best practices, such as keeping your software updated and resetting your passwords regularly. The Foundation will continue to investigate this incident and take steps to prevent it from occurring again in the future. In the meantime, Phabricator is online and functioning normally. We regret any inconvenience this may have caused and will provide updates if we learn of any further impact. Respectfully, David Sharpe Senior Information Security Analyst Wikimedia Foundation

Show replies by date

Pine W

16 Jan 16 Jan

4:49 p.m.

Hi David, Thanks for the information. Some of us use the same 2FA for Phabricator as for on wiki accounts. Should the 2FA reset apply to all Wikimedia 2FAs that could be used for Phabricator, or only those that actually have been used for Phabricator? Is there a public ticket that people can watch for updates and where public questions may be asked? Pine ( https://meta.wikimedia.org/wiki/User:Pine ) On Thu, Jan 16, 2020, 13:25 David Sharpe <dsharpe(a)wikimedia.org> wrote:

...

Greg Grossmeier

5:17 p.m.

On Thu, Jan 16, 2020 at 2:50 PM Pine W <wiki.pine(a)gmail.com> wrote:

...

Some of us use the same 2FA for Phabricator as for on wiki accounts. Should the 2FA reset apply to all Wikimedia 2FAs that could be used for Phabricator, or only those that actually have been used for Phabricator?

Hi Pine, Phabricator has its own 2fa system that is separate from that of your wiki account 2fa. You may be using the same authenticator application on your phone, but there are separate accounts/codes for your wiki account and for your Phabricator account. tl;dr: this only affects your Phabricator 2fa token, no other tokens. Best, Greg -- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D |

Pine W

6:23 p.m.

Hi Greg, The way that I log into Phab is by using https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging into MediaWiki and authorizing Phab to access my credentials. The MediaWiki login including the 2FA is the same that I use for many other Wikimedia sites. So, although this 2FA allows logins to Phabricator, it sounds like there is a separate 2FA for some people for Phabricator access, perhaps for people with LDAP logins, and that is the 2FA that is affected. Is this correct? Pine ( https://meta.wikimedia.org/wiki/User:Pine ) On Thu, Jan 16, 2020, 15:18 Greg Grossmeier <greg(a)wikimedia.org> wrote:

...

On Thu, Jan 16, 2020 at 2:50 PM Pine W <wiki.pine(a)gmail.com> wrote:

Some of us use the same 2FA for Phabricator as for on wiki accounts.

Should

the 2FA reset apply to all Wikimedia 2FAs that could be used for Phabricator, or only those that actually have been used for Phabricator?

Greg Grossmeier

8:38 p.m.

Keeping this thread on-list to help others who might be unsure. Hello Pine, On Thu, Jan 16, 2020 at 4:23 PM Pine W <wiki.pine(a)gmail.com> wrote:

...

The way that I log into Phab is by using https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging into MediaWiki and authorizing Phab to access my credentials. The MediaWiki login including the 2FA is the same that I use for many other Wikimedia sites.

Correct, you are logging into your MediaWiki account with your 2FA token, then you are logging into Phabricator via OAuth. None of those logins nor 2FA tokens were affected by this.

...

So, although this 2FA allows logins to Phabricator, it sounds like there is a separate 2FA for some people for Phabricator access, perhaps for people with LDAP logins, and that is the 2FA that is affected. Is this correct?

Michael Holloway

10:25 p.m.

Do those of us using Phabricator 2FA need to take any action? On Fri, Jan 17, 2020 at 7:38 AM Greg Grossmeier <greg(a)wikimedia.org> wrote:

...

Keeping this thread on-list to help others who might be unsure. Hello Pine, On Thu, Jan 16, 2020 at 4:23 PM Pine W <wiki.pine(a)gmail.com> wrote:

The way that I log into Phab is by using https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging into MediaWiki and authorizing Phab to access my credentials. The

MediaWiki

Correct, you are logging into your MediaWiki account with your 2FA token, then you are logging into Phabricator via OAuth. None of those logins nor 2FA tokens were affected by this.

So, although this 2FA allows logins to Phabricator, it sounds like there

a separate 2FA for some people for Phabricator access, perhaps for people with LDAP logins, and that is the 2FA that is affected. Is this correct?

Correct. Phabricator has its own 2FA system for people to use. You can see if you use it via your Account Settings, then clicking on "Multi-Factor Auth". That is the 2FA that is affected in this incident. Best, Greg -- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D | _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

-- Michael Holloway Software Engineer, Product Infrastructure

revi

17 Jan 17 Jan

5:01 a.m.

Hi, If it is possible to do so, can you notify to the people whose 2FA were reset? I know at least few people who uses 2FA on Phab, and does not read emails from wikitech-l and/or wikimedia-l. Thanks! 나의 iPhone에서 보냄

...

2020. 1. 17. 06:26, David Sharpe <dsharpe(a)wikimedia.org> 작성: However, out of an abundance of caution, we are resetting all Two-Factor Authentication keys for Phabricator and invalidating the exposed login access tokens.

RhinosF1 -

9:25 a.m.

Can you also confirm we need to take NO action? RhinosF1 On Fri, 17 Jan 2020 at 11:02, revi <lists(a)revi.email> wrote:

...

2020. 1. 17. 06:26, David Sharpe <dsharpe(a)wikimedia.org> 작성: However, out of an abundance of caution, we are resetting all Two-Factor

Authentication keys for Phabricator and invalidating the exposed login access tokens. _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

David Sharpe

9:50 a.m.

There is a team working on the Phabricator 2FA action item right now. More to come soon… No action is required for people without 2FA configured within Phabricator.

...

On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1(a)gmail.com> wrote: Can you also confirm we need to take NO action? RhinosF1 On Fri, 17 Jan 2020 at 11:02, revi <lists(a)revi.email> wrote:

2020. 1. 17. 06:26, David Sharpe <dsharpe(a)wikimedia.org> 작성: However, out of an abundance of caution, we are resetting all Two-Factor

_______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

RhinosF1 -

11:21 a.m.

What about those that do? RhinosF1 On Fri, 17 Jan 2020 at 15:51, David Sharpe <dsharpe(a)wikimedia.org> wrote:

...

There is a team working on the Phabricator 2FA action item right now. More to come soon… No action is required for people without 2FA configured within Phabricator.

On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1(a)gmail.com> wrote: Can you also confirm we need to take NO action? RhinosF1 On Fri, 17 Jan 2020 at 11:02, revi <lists(a)revi.email> wrote: > Hi, > > If it is possible to do so, can you notify to the people whose 2FA were > reset? I know at least few people who uses 2FA on Phab, and does not

read

> emails from wikitech-l and/or wikimedia-l. > > Thanks! > > 나의 iPhone에서 보냄 > >> 2020. 1. 17. 06:26, David Sharpe <dsharpe(a)wikimedia.org> 작성: >> >> However, out of an abundance of caution, we are resetting all

Two-Factor

_______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Andre Klapper

11:38 a.m.

On Fri, 2020-01-17 at 17:21 +0000, RhinosF1 - wrote:

...

What about those that do?

See the last email. It said: "More to come soon…". andre -- Andre Klapper (he/him) | Bugwrangler / Developer Advocate https://blogs.gnome.org/aklapper/

Mukunda Modell

20 Jan 20 Jan

8:17 p.m.

The plan is as follows: Sometime in the near future, we will be invalidating the sessions of anyone who has an auth factor which was potentially affected. If you were one of the potentially affected users then the next time you log in to Phabricator, you should see a notification directing you to reset your TOTP auth factor. If you don't see any notice like that then you are not among those who were potentially affected. I will post an update here once that is done, in the meantime you don't need to take any action in particular. On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - <rhinosf1(a)gmail.com> wrote:

...

What about those that do? RhinosF1 On Fri, 17 Jan 2020 at 15:51, David Sharpe <dsharpe(a)wikimedia.org> wrote:

There is a team working on the Phabricator 2FA action item right now. More to come soon… No action is required for people without 2FA configured within

Phabricator.

> On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1(a)gmail.com> wrote: > > Can you also confirm we need to take NO action? > > RhinosF1 > > On Fri, 17 Jan 2020 at 11:02, revi <lists(a)revi.email> wrote: > >> Hi, >> >> If it is possible to do so, can you notify to the people whose 2FA

were

> reset? I know at least few people who uses 2FA on Phab, and does not

read

Two-Factor

_______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Pine W

10:30 p.m.

Thanks for the updates, transparency, and timely notifications. I hope that I didn't sound like I was trying to be a pest earlier in this thread. What may have been clear to people who are familiar with Phabricator 2FA was not clear to me at the time. Pine ( https://meta.wikimedia.org/wiki/User:Pine )

David Sharpe

10:36 p.m.

That conversation helped provide more clarity. Thank you for taking the time to respond!

...

On Jan 20, 2020, at 11:30 PM, Pine W <wiki.pine(a)gmail.com> wrote: Thanks for the updates, transparency, and timely notifications. I hope that I didn't sound like I was trying to be a pest earlier in this thread. What may have been clear to people who are familiar with Phabricator 2FA was not clear to me at the time. Pine ( https://meta.wikimedia.org/wiki/User:Pine ) _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Mukunda Modell

23 Jan 23 Jan

10:55 a.m.

The update was deployed last night just a bit after midnight UTC. Upon logging in, anyone with an affected auth factor should see a notification with instructions for how to proceed. For the curious, you can see screenshots of the notification which I attached to the task for this change, T243247 [1]. [1]. https://phabricator.wikimedia.org/T243247 On Mon, Jan 20, 2020 at 8:17 PM Mukunda Modell <mmodell(a)wikimedia.org> wrote:

...

What about those that do? RhinosF1 On Fri, 17 Jan 2020 at 15:51, David Sharpe <dsharpe(a)wikimedia.org> wrote:

There is a team working on the Phabricator 2FA action item right now. More to come soon… No action is required for people without 2FA configured within

Phabricator.

were

> reset? I know at least few people who uses 2FA on Phab, and does not

read

Two-Factor >> Authentication keys for Phabricator and invalidating the exposed

> access tokens. > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

RhinosF1 -

11:10 a.m.

The spelling of ‘August’ is wrong in the second image on https://phabricator.wikimedia.org/T243247. Looks fine in the code though so not sure if fixed. RhinosF1 On Thu, 23 Jan 2020 at 16:55, Mukunda Modell <mmodell(a)wikimedia.org> wrote:

...

TOTP

auth factor. If you don't see any notice like that then you are not among those who were potentially affected. I will post an update here once that is done, in the meantime you don't need to take any action in particular. On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - <rhinosf1(a)gmail.com> wrote: > What about those that do? > > RhinosF1 > > On Fri, 17 Jan 2020 at 15:51, David Sharpe <dsharpe(a)wikimedia.org>

wrote:

> > > There is a team working on the Phabricator 2FA action item right now. > > More to come soon… > > > > No action is required for people without 2FA configured within > Phabricator. > > > > > > > > > On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1(a)gmail.com>

wrote:

> > > > > > Can you also confirm we need to take NO action? > > > > > > RhinosF1 > > > > > > On Fri, 17 Jan 2020 at 11:02, revi <lists(a)revi.email> wrote: > > > > > >> Hi, > > >> > > >> If it is possible to do so, can you notify to the people whose 2FA > were > > >> reset? I know at least few people who uses 2FA on Phab, and does

not

read >> emails from wikitech-l and/or wikimedia-l. >> >> Thanks! >> >> 나의 iPhone에서 보냄 >> >>> 2020. 1. 17. 06:26, David Sharpe <dsharpe(a)wikimedia.org> 작성: >>> >>> However, out of an abundance of caution, we are resetting all Two-Factor >> Authentication keys for Phabricator and invalidating the exposed

>> access tokens. >> >> >> _______________________________________________ >> Wikitech-l mailing list >> Wikitech-l(a)lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

1606

days inactive

1613

days old

wikitech-l@lists.wikimedia.org

Manage subscription

15 comments

8 participants

tags (0)

participants (8)

Andre Klapper
David Sharpe
Greg Grossmeier
Michael Holloway
Mukunda Modell
Pine W
revi
RhinosF1 -