This issue is being actively worked on by staff and volunteers, ETA not yet available. Please monitor https://www.wikimediastatus.net/ for updates

Update as of 17:09 UTC, the wikis are back in read write mode, but some functionalities are still disabled.
Unclear which functions.
This started with code at https://ru.wikipedia.org/wiki/%D0%A3%D1%87%D0%B0%D1%81%D1%82%D0%BD%D0%B8%D0%BA:Ololoshka562/test.js
I won't repost the since-deleted code, but I have saved it if someone is curious.

Some investigation was made in Russian Wikipedia discord chat, maybe it will be useful.

1. In 2023, vandal attacks was made against two Russian-language alternative wiki projects, Wikireality and Cyclopedia. Here https://wikireality.ru/wiki/РАОрг is an article about organisators of these attacks.
2. In 2024, ruwiki user Ololoshka562 created a page https://ru.wikipedia.org/wiki/user:Ololoshka562/test.js containing script used in these attacks. It was inactive next 1.5 years.
3. Today, sbassett massively loaded other users' scripts into his global.js on meta, maybe for testing global API limits: https://meta.wikimedia.org/wiki/Special:Contributions/SBassett_(WMF) . In one edit, he loaded Ololoshka's script: https://meta.wikimedia.org/w/index.php?diff=prev&oldid=30167202 and run it.

It would be good if the user script disabling would be limited to Meta, since this issue didn’t affect other wikis. People seem to be angry enough about this, no reason to make them angrier, as many workflows depend on user scripts in most wikis.

In T419143#11678486, @stjn wrote:

It would be good if the user script disabling would be limited to Meta, since this issue didn’t affect other wikis. People seem to be angry enough about this, no reason to make them angrier, as many workflows depend on user scripts in most wikis.

Strongly agree.

In T419143#11678431, @MBH wrote:

Some investigation was made in Russian Wikipedia discord chat, maybe it will be useful.

1. In 2023, vandal attacks was made against two Russian-language alternative wiki projects, Wikireality and Cyclopedia. Here https://wikireality.ru/wiki/РАОрг is an article about organisators of these attacks.
2. In 2024, ruwiki user Ololoshka562 created a page https://ru.wikipedia.org/wiki/user:Ololoshka562/test.js containing script used in these attacks. It was inactive next 1.5 years.
3. Today, sbassett massively loaded other users' scripts into his global.js on meta, maybe for testing global API limits: https://meta.wikimedia.org/wiki/Special:Contributions/SBassett_(WMF) . In one edit, he loaded Ololoshka's script: https://meta.wikimedia.org/w/index.php?diff=prev&oldid=30167202 and run it.

I will be writing this up for the Signpost, so if you have the actual code, I would be curious to take a look at it for myself (I don't know if there are private messages on Phab but EmailUser on the English Wikipedia should work for me).

In T419143#11678486, @stjn wrote:

It would be good if the user script disabling would be limited to Meta, since this issue didn’t affect other wikis. People seem to be angry enough about this, no reason to make them angrier, as many workflows depend on user scripts in most wikis.

Given the gaping security hole this revealed, I wouldn't be surprised if user scripts are disabled until more safety rails are in place (such as preventing them from non-interactive editing of common.js).

In T419143#11678494, @jpxg wrote:

In T419143#11678431, @MBH wrote:

Some investigation was made in Russian Wikipedia discord chat, maybe it will be useful.

1. In 2023, vandal attacks was made against two Russian-language alternative wiki projects, Wikireality and Cyclopedia. Here https://wikireality.ru/wiki/РАОрг is an article about organisators of these attacks.
2. In 2024, ruwiki user Ololoshka562 created a page https://ru.wikipedia.org/wiki/user:Ololoshka562/test.js containing script used in these attacks. It was inactive next 1.5 years.
3. Today, sbassett massively loaded other users' scripts into his global.js on meta, maybe for testing global API limits: https://meta.wikimedia.org/wiki/Special:Contributions/SBassett_(WMF) . In one edit, he loaded Ololoshka's script: https://meta.wikimedia.org/w/index.php?diff=prev&oldid=30167202 and run it.

I will be writing this up for the Signpost, so if you have the actual code, I would be curious to take a look at it for myself (I don't know if there are private messages on Phab but EmailUser on the English Wikipedia should work for me).

Send me a ping on Discord "jay_cubby", and I'll send the file there.

@jpxg yes, I have the codes (Ololoshka's code and the code that was injected to Meta's common.js, it's different codes). Write me to mbhwik@gmail.com.

For future reference, the page User:Ololoshka562/test.js also seems to have been saved on the Internet Archive

In T419143#11678498, @Ahecht wrote:

Given the gaping security hole this revealed, I wouldn't be surprised if user scripts are disabled until more safety rails are in place (such as preventing them from non-interactive editing of common.js).

I think the known nature of the incident shows that this is not necessarily required to be done ASAP. Never mind that the WMF was not focusing on obvious solutions (such as requiring a 2FA confirmation step for editing site-wide JS) for years already.

Can the codes be shared here? Obscuring and hiding information will not prevent any future attacks, but sharing might help protect against them.

In T419143#11678486, @stjn wrote:

It would be good if the user script disabling would be limited to Meta, since this issue didn’t affect other wikis. People seem to be angry enough about this, no reason to make them angrier, as many workflows depend on user scripts in most wikis.

If a steward is compromised they can theorically put malicious JS to common.js in every Wikimedia wikis (which will cause much larger mess than the current one). So I do not believe doing so is good.

In T419143#11678515, @Bugreporter wrote:

If a steward is compromised they can theorically put malicious JS to common.js in every Wikimedia wikis (which will cause much larger mess than the current one). So I do not believe doing so is good.

I’ve wrote my comment based on available code, not theoretically. It doesn’t do that sort of thing. And unless another person loads some other bullshit script, it won’t.

I believe we need to fix T197137: Editing sitewide JS/CSS pages should require elevated security and T419152: Editing user JS/CSS pages should require elevated security - this will at least largely prevent malicious scripts be spread to other users.

What user codes are disabled for now? I tried on my account and seems like gadgets are not affected?

Not sute if it's relevant to add here this report from https://ru.wikinews.org.

In T419143#11678510, @stjn wrote:

In T419143#11678498, @Ahecht wrote:

Given the gaping security hole this revealed, I wouldn't be surprised if user scripts are disabled until more safety rails are in place (such as preventing them from non-interactive editing of common.js).

I think the known nature of the incident shows that this is not necessarily required to be done ASAP. Never mind that the WMF was not focusing on obvious solutions (such as requiring a 2FA confirmation step for editing site-wide JS) for years already.

That might be a good idea, but there are also gadgets. And some gadgets load user code. And some users load code of other users. This is sometimes even required and there is no other installation method (like e.g. User:SuperHamster/view-it-full.js).

Another issue that needs fixing is T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block; though not directly related to this accident, but we need to prevent XSS from 3rd websites to spread into Wikimedia project. Currently a malicious script in any website can make every viewer a vandalbot in Wikimedia.