I replied on wikitech-l. I suggest continuing the discussion there. -- Tim Starling
On 26/6/20 3:26 pm, Steven Walling wrote: > Thanks Tim, > > 1. Does “saw the site” mean users actually had full or partial > access to the accounts of other users, or simply were viewing a > cached version of the site that appeared as if they were logged in > as someone else? How many users were impacted? > > 2. Does the WMF hold incident review meetings and publish reports > about what steps are taken to prevent repeat incidents with the same > root cause? > > On Thu, Jun 25, 2020 at 7:44 PM Tim Starling > <tstarl...@wikimedia.org <mailto:tstarl...@wikimedia.org>> wrote: > > Everyone on Wikimedia wikis will shortly be logged out and will have > to log back in again. > > We are resetting all sessions because we believe that, due to a > configuration error, session cookies may have been sent in cacheable > responses. Some users reported that they saw the site as if they > were > logged in as someone else. We believe that the number of affected > users was very small. However, we believe that resetting all > sessions > is a prudent measure to ensure that the impact is limited. > > There are several layers of protection against something like this > happening, and we don't yet know how all of them failed, but we have > made a configuration change which should be sufficient to prevent it > from happening again. > > -- Tim Starling > > > _______________________________________________ > Wikitech-l mailing list > wikitec...@lists.wikimedia.org > <mailto:wikitec...@lists.wikimedia.org> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > _______________________________________________ > Wikitech-ambassadors mailing list > Wikitech-ambassadors@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors
_______________________________________________ Wikitech-ambassadors mailing list Wikitech-ambassadors@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors