Incident documentation/20170617-Phabricator-spam

From Wikitech
Jump to: navigation, search

Summary

Over the weekend of June 17th, 2017 our Phabricator instance's file upload feature was used to upload non openly licensed stuff ('pirated content') by multiple users. This is another example of people using the free rating via Wikipedia Zero to share pirated content.

Timeline

This is a step by step outline of what happened to cause the incident and how it was remedied.

2017-06-17

  • 14:55 - Framawiki created the task: "Cleanup phabricator.wikimedia.org uploaded files, WP zero abuse" - Task T168142
  • ... - volans and Reedy deleted a lot of file content and disabled approx. 110 recently created user accounts with mostly Moroccan IP addresses
  • ... - Framawiki, Mainframe98, Paladox, Peachey88, Reedy, zhuyifei1999, Zppix closed dozens of tasks created by these accounts
  • 19:53 - Reedy emailed the Operations mailing list (subject "Phab WP0 file upload spam")
  • 21:12 - Aklapper set Phabricator's auth.require-approval bit so all newly created accounts had to be approved by an admin before they could use the service

2017-06-18

2017-06-22

2017-06-23

  • volans deletes 49 more files that were missed previously. [1]

Conclusions

What weakness did we learn about and how can we address them?

  • Phabricator makes admins delete content via the command line.
  • We still allowed users who were blocked onwiki to create Phabricator accounts, making blocking users harder.

Actionables

Explicit next steps to prevent this from happening again as much as possible, with Phabricator tasks linked for every step.


Related links