Incidents/20170617-Phabricator-spam

Over the weekend of June 17th, 2017 our Phabricator instance's file upload feature was used to upload non openly licensed stuff ('pirated content') by multiple users. This is another example of people using the free rating via Wikipedia Zero to share pirated content.

This is a step by step outline of what happened to cause the incident and how it was remedied.

2017-06-17

• 14:55 - Framawiki created the task: "Cleanup phabricator.wikimedia.org uploaded files, WP zero abuse" - task T168142
• ... - volans and Reedy deleted a lot of file content and disabled approx. 110 recently created user accounts with mostly Moroccan IP addresses
• ... - Framawiki, Mainframe98, Paladox, Peachey88, Reedy, zhuyifei1999, Zppix closed dozens of tasks created by these accounts
• 19:53 - Reedy emailed the Operations mailing list (subject "Phab WP0 file upload spam")
• 21:12 - Aklapper set Phabricator's auth.require-approval bit so all newly created accounts had to be approved by an admin before they could use the service

2017-06-18

• 09:13 - 20after4 submitted D687 - OAuth: Don't authenticate accounts which are blocked in MediaWiki

2017-06-22

• D687 deployed

2017-06-23

• volans deletes 49 more files that were missed previously. [1]

What weakness did we learn about and how can we address them?

• Phabricator makes admins delete content via the command line.
• We still allowed users who were blocked onwiki to create Phabricator accounts, making blocking users harder.

Explicit next steps to prevent this from happening again as much as possible, with Phabricator tasks linked for every step.

• Done Disallow blocked users on mediawiki to create accounts on phabricator - task T162996
  • N Not done This should also probably apply to wikitech ldap accounts, however, that may require changes to wikitech or the configuration of ldap servers - task T168692
• Done Cleanup phabricator.wikimedia.org uploaded files, WP zero abuse - task T168142
• Done (Temporarily) Block certain IP ranges used by mobile providers - https://gerrit.wikimedia.org/r/#/c/363001/
• Done Remove phabricator.wikimedia.org from WP0 zero rating - https://gerrit.wikimedia.org/r/#/c/363264/
• Done Revert Block certain IP ranges used by mobile providers - https://gerrit.wikimedia.org/r/#/c/363356/

• T84 - Make sure Phabricator's anti-vandalism features are up to snuff
• T129845 - Commons and to a lesser extent other projects used as video hoster / file sharing site by Wikipedia Zero
• T167915 - Disable media for Morocco Wikipedia Zero
• Phabricator tools:
  • Note that accessing some of these links require Phabricator administrator rights.
  • Created Phabricator user accounts sorted by newest date
  • Files uploaded to Phabricator by newest date (does not list deleted files)
  • Log of all users' log-in/log-out activity by newest date
  • Query log-in activity per user or IP range
  • Phabricator Configuration: auth.require-approval