The Wikimedia Foundation has been forced to temporarily disable editing capabilities and prohibit the execution of custom scripts on Meta-Wiki, Wikipedia, and related Wiki sites due to a security incident that threatened to compromise the accounts of project administrators and led to widespread malicious modification of pages and scripts.
The incident occurred due to the negligence of a Wikimedia Foundation engineer on the security team. While testing API access limits from user scripts, the engineer experimented with loading a large number of random scripts using real user scripts. The testing was performed using a privileged account with access to edit MediaWiki:Common.js and the ability to load JavaScript scripts for all users and pages.
Among the personal scripts launched was a malicious script called test.js, created several years ago and downloaded from ru.wikipedia.org. It contained the functionality of a worm that added itself to all JavaScript files named "User:" /common.js" and "MediaWiki:Common.js", as well as editing or deleting random pages with a note about the project closing (the Special:Random command was called to select pages).
Running this script from a privileged account resulted in malicious code being inserted into user-defined JavaScript scripts on Meta-Wiki. When other users and Wikimedia administrators opened Meta-Wiki pages, the worm launched a chain reaction and caused widespread vandalism—several thousand pages were modified, and approximately 100 users had their common.js scripts replaced.
A malicious script was used in 2023 to attack the Russian-language wiki sites Wikireality and Cyclopedia. In 2024, a user with the nickname Ololoshka562 posted the script on their page at ru.wikipedia.org (ru.wikipedia.org/wiki/user:Ololoshka562/test.js). A year and a half later, the script was downloaded and executed by a Wikimedia engineer conducting an experiment.
The affected pages have now been restored, and editing is now possible. The read-only mode and the ban on user-defined JavaScript are said to have lasted approximately two hours. Wikimedia representatives stated that they have no reason to believe the incident was caused by a targeted attack or resulted in the compromise of personal data.
Source: opennet.ru
