Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
The spelling of ‘August’ is wrong in the second image on https://phabricator.wikimedia.org/T243247. Looks fine in the code though so not sure if fixed. RhinosF1 On Thu, 23 Jan 2020 at 16:55, Mukunda Modell wrote: > The update was deployed last night just a bit after midnight UTC. Upon > logging in, anyone with an affected auth factor should see a notification > with instructions for how to proceed. > > For the curious, you can see screenshots of the notification which I > attached to the task for this change, T243247 [1]. > > [1]. https://phabricator.wikimedia.org/T243247 > > On Mon, Jan 20, 2020 at 8:17 PM Mukunda Modell > wrote: > > > The plan is as follows: > > > > Sometime in the near future, we will be invalidating the sessions of > > anyone who has an auth factor which was potentially affected. If you were > > one of the potentially affected users then the next time you log in to > > Phabricator, you should see a notification directing you to reset your > TOTP > > auth factor. If you don't see any notice like that then you are not among > > those who were potentially affected. > > > > I will post an update here once that is done, in the meantime you don't > > need to take any action in particular. > > > > On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - wrote: > > > >> What about those that do? > >> > >> RhinosF1 > >> > >> On Fri, 17 Jan 2020 at 15:51, David Sharpe > wrote: > >> > >> > There is a team working on the Phabricator 2FA action item right now. > >> > More to come soon… > >> > > >> > No action is required for people without 2FA configured within > >> Phabricator. > >> > > >> > > >> > > >> > > On Jan 17, 2020, at 10:25 AM, RhinosF1 - > wrote: > >> > > > >> > > Can you also confirm we need to take NO action? > >> > > > >> > > RhinosF1 > >> > > > >> > > On Fri, 17 Jan 2020 at 11:02, revi wrote: > >> > > > >> > >> Hi, > >> > >> > >> > >> If it is possible to do so, can you notify to the people whose 2FA > >> were > >> > >> reset? I know at least few people who uses 2FA on Phab, and does > not > >> > read > >> > >> emails from wikitech-l and/or wikimedia-l. > >> > >> > >> > >> Thanks! > >> > >> > >> > >> 나의 iPhone에서 보냄 > >> > >> > >> > >>> 2020. 1. 17. 06:26, David Sharpe 작성: > >> > >>> > >> > >>> However, out of an abundance of caution, we are resetting all > >> > Two-Factor > >> > >> Authentication keys for Phabricator and invalidating the exposed > >> login > >> > >> access tokens. > >> > >> > >> > >> > >> > >> ___ > >> > >> Wikitech-l mailing list > >> > >> Wikitech-l@lists.wikimedia.org > >> > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > >> > > ___ > >> > > Wikitech-l mailing list > >> > > Wikitech-l@lists.wikimedia.org > >> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > >> > > >> > > >> > ___ > >> > Wikitech-l mailing list > >> > Wikitech-l@lists.wikimedia.org > >> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > >> ___ > >> Wikitech-l mailing list > >> Wikitech-l@lists.wikimedia.org > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
The update was deployed last night just a bit after midnight UTC. Upon logging in, anyone with an affected auth factor should see a notification with instructions for how to proceed. For the curious, you can see screenshots of the notification which I attached to the task for this change, T243247 [1]. [1]. https://phabricator.wikimedia.org/T243247 On Mon, Jan 20, 2020 at 8:17 PM Mukunda Modell wrote: > The plan is as follows: > > Sometime in the near future, we will be invalidating the sessions of > anyone who has an auth factor which was potentially affected. If you were > one of the potentially affected users then the next time you log in to > Phabricator, you should see a notification directing you to reset your TOTP > auth factor. If you don't see any notice like that then you are not among > those who were potentially affected. > > I will post an update here once that is done, in the meantime you don't > need to take any action in particular. > > On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - wrote: > >> What about those that do? >> >> RhinosF1 >> >> On Fri, 17 Jan 2020 at 15:51, David Sharpe wrote: >> >> > There is a team working on the Phabricator 2FA action item right now. >> > More to come soon… >> > >> > No action is required for people without 2FA configured within >> Phabricator. >> > >> > >> > >> > > On Jan 17, 2020, at 10:25 AM, RhinosF1 - wrote: >> > > >> > > Can you also confirm we need to take NO action? >> > > >> > > RhinosF1 >> > > >> > > On Fri, 17 Jan 2020 at 11:02, revi wrote: >> > > >> > >> Hi, >> > >> >> > >> If it is possible to do so, can you notify to the people whose 2FA >> were >> > >> reset? I know at least few people who uses 2FA on Phab, and does not >> > read >> > >> emails from wikitech-l and/or wikimedia-l. >> > >> >> > >> Thanks! >> > >> >> > >> 나의 iPhone에서 보냄 >> > >> >> > >>> 2020. 1. 17. 06:26, David Sharpe 작성: >> > >>> >> > >>> However, out of an abundance of caution, we are resetting all >> > Two-Factor >> > >> Authentication keys for Phabricator and invalidating the exposed >> login >> > >> access tokens. >> > >> >> > >> >> > >> ___ >> > >> Wikitech-l mailing list >> > >> Wikitech-l@lists.wikimedia.org >> > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > > ___ >> > > Wikitech-l mailing list >> > > Wikitech-l@lists.wikimedia.org >> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > >> > >> > ___ >> > Wikitech-l mailing list >> > Wikitech-l@lists.wikimedia.org >> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> ___ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
That conversation helped provide more clarity. Thank you for taking the time to respond! > On Jan 20, 2020, at 11:30 PM, Pine W wrote: > > Thanks for the updates, transparency, and timely notifications. > > I hope that I didn't sound like I was trying to be a pest earlier in this > thread. What may have been clear to people who are familiar with > Phabricator 2FA was not clear to me at the time. > > Pine > ( https://meta.wikimedia.org/wiki/User:Pine ) > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
Thanks for the updates, transparency, and timely notifications. I hope that I didn't sound like I was trying to be a pest earlier in this thread. What may have been clear to people who are familiar with Phabricator 2FA was not clear to me at the time. Pine ( https://meta.wikimedia.org/wiki/User:Pine ) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
The plan is as follows: Sometime in the near future, we will be invalidating the sessions of anyone who has an auth factor which was potentially affected. If you were one of the potentially affected users then the next time you log in to Phabricator, you should see a notification directing you to reset your TOTP auth factor. If you don't see any notice like that then you are not among those who were potentially affected. I will post an update here once that is done, in the meantime you don't need to take any action in particular. On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - wrote: > What about those that do? > > RhinosF1 > > On Fri, 17 Jan 2020 at 15:51, David Sharpe wrote: > > > There is a team working on the Phabricator 2FA action item right now. > > More to come soon… > > > > No action is required for people without 2FA configured within > Phabricator. > > > > > > > > > On Jan 17, 2020, at 10:25 AM, RhinosF1 - wrote: > > > > > > Can you also confirm we need to take NO action? > > > > > > RhinosF1 > > > > > > On Fri, 17 Jan 2020 at 11:02, revi wrote: > > > > > >> Hi, > > >> > > >> If it is possible to do so, can you notify to the people whose 2FA > were > > >> reset? I know at least few people who uses 2FA on Phab, and does not > > read > > >> emails from wikitech-l and/or wikimedia-l. > > >> > > >> Thanks! > > >> > > >> 나의 iPhone에서 보냄 > > >> > > >>> 2020. 1. 17. 06:26, David Sharpe 작성: > > >>> > > >>> However, out of an abundance of caution, we are resetting all > > Two-Factor > > >> Authentication keys for Phabricator and invalidating the exposed login > > >> access tokens. > > >> > > >> > > >> ___ > > >> Wikitech-l mailing list > > >> Wikitech-l@lists.wikimedia.org > > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > ___ > > > Wikitech-l mailing list > > > Wikitech-l@lists.wikimedia.org > > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > > > ___ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
On Fri, 2020-01-17 at 17:21 +, RhinosF1 - wrote: > What about those that do? See the last email. It said: "More to come soon…". andre -- Andre Klapper (he/him) | Bugwrangler / Developer Advocate https://blogs.gnome.org/aklapper/ ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
What about those that do? RhinosF1 On Fri, 17 Jan 2020 at 15:51, David Sharpe wrote: > There is a team working on the Phabricator 2FA action item right now. > More to come soon… > > No action is required for people without 2FA configured within Phabricator. > > > > > On Jan 17, 2020, at 10:25 AM, RhinosF1 - wrote: > > > > Can you also confirm we need to take NO action? > > > > RhinosF1 > > > > On Fri, 17 Jan 2020 at 11:02, revi wrote: > > > >> Hi, > >> > >> If it is possible to do so, can you notify to the people whose 2FA were > >> reset? I know at least few people who uses 2FA on Phab, and does not > read > >> emails from wikitech-l and/or wikimedia-l. > >> > >> Thanks! > >> > >> 나의 iPhone에서 보냄 > >> > >>> 2020. 1. 17. 06:26, David Sharpe 작성: > >>> > >>> However, out of an abundance of caution, we are resetting all > Two-Factor > >> Authentication keys for Phabricator and invalidating the exposed login > >> access tokens. > >> > >> > >> ___ > >> Wikitech-l mailing list > >> Wikitech-l@lists.wikimedia.org > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > ___ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
There is a team working on the Phabricator 2FA action item right now. More to come soon… No action is required for people without 2FA configured within Phabricator. > On Jan 17, 2020, at 10:25 AM, RhinosF1 - wrote: > > Can you also confirm we need to take NO action? > > RhinosF1 > > On Fri, 17 Jan 2020 at 11:02, revi wrote: > >> Hi, >> >> If it is possible to do so, can you notify to the people whose 2FA were >> reset? I know at least few people who uses 2FA on Phab, and does not read >> emails from wikitech-l and/or wikimedia-l. >> >> Thanks! >> >> 나의 iPhone에서 보냄 >> >>> 2020. 1. 17. 06:26, David Sharpe 작성: >>> >>> However, out of an abundance of caution, we are resetting all Two-Factor >> Authentication keys for Phabricator and invalidating the exposed login >> access tokens. >> >> >> ___ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
Can you also confirm we need to take NO action? RhinosF1 On Fri, 17 Jan 2020 at 11:02, revi wrote: > Hi, > > If it is possible to do so, can you notify to the people whose 2FA were > reset? I know at least few people who uses 2FA on Phab, and does not read > emails from wikitech-l and/or wikimedia-l. > > Thanks! > > 나의 iPhone에서 보냄 > > > 2020. 1. 17. 06:26, David Sharpe 작성: > > > > However, out of an abundance of caution, we are resetting all Two-Factor > Authentication keys for Phabricator and invalidating the exposed login > access tokens. > > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
Hi, If it is possible to do so, can you notify to the people whose 2FA were reset? I know at least few people who uses 2FA on Phab, and does not read emails from wikitech-l and/or wikimedia-l. Thanks! 나의 iPhone에서 보냄 > 2020. 1. 17. 06:26, David Sharpe 작성: > > However, out of an abundance of caution, we are resetting all Two-Factor > Authentication keys for Phabricator and invalidating the exposed login access > tokens. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
Do those of us using Phabricator 2FA need to take any action? On Fri, Jan 17, 2020 at 7:38 AM Greg Grossmeier wrote: > Keeping this thread on-list to help others who might be unsure. > > Hello Pine, > > On Thu, Jan 16, 2020 at 4:23 PM Pine W wrote: > > > The way that I log into Phab is by using > > https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging > > into MediaWiki and authorizing Phab to access my credentials. The > MediaWiki > > login including the 2FA is the same that I use for many other Wikimedia > > sites. > > > > Correct, you are logging into your MediaWiki account with your 2FA token, > then you are logging into Phabricator via OAuth. > > None of those logins nor 2FA tokens were affected by this. > > > > So, although this 2FA allows logins to Phabricator, it sounds like there > is > > a separate 2FA for some people for Phabricator access, perhaps for people > > with LDAP logins, and that is the 2FA that is affected. Is this correct? > > > > Correct. Phabricator has its own 2FA system for people to use. > > You can see if you use it via your Account Settings, then clicking on > "Multi-Factor Auth". That is the 2FA that is affected in this incident. > > Best, > > Greg > > -- > | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | > | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D | > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- Michael Holloway Software Engineer, Product Infrastructure ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
Keeping this thread on-list to help others who might be unsure. Hello Pine, On Thu, Jan 16, 2020 at 4:23 PM Pine W wrote: > The way that I log into Phab is by using > https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging > into MediaWiki and authorizing Phab to access my credentials. The MediaWiki > login including the 2FA is the same that I use for many other Wikimedia > sites. > Correct, you are logging into your MediaWiki account with your 2FA token, then you are logging into Phabricator via OAuth. None of those logins nor 2FA tokens were affected by this. > So, although this 2FA allows logins to Phabricator, it sounds like there is > a separate 2FA for some people for Phabricator access, perhaps for people > with LDAP logins, and that is the 2FA that is affected. Is this correct? > Correct. Phabricator has its own 2FA system for people to use. You can see if you use it via your Account Settings, then clicking on "Multi-Factor Auth". That is the 2FA that is affected in this incident. Best, Greg -- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D | ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
Hi Greg, The way that I log into Phab is by using https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging into MediaWiki and authorizing Phab to access my credentials. The MediaWiki login including the 2FA is the same that I use for many other Wikimedia sites. So, although this 2FA allows logins to Phabricator, it sounds like there is a separate 2FA for some people for Phabricator access, perhaps for people with LDAP logins, and that is the 2FA that is affected. Is this correct? Pine ( https://meta.wikimedia.org/wiki/User:Pine ) On Thu, Jan 16, 2020, 15:18 Greg Grossmeier wrote: > On Thu, Jan 16, 2020 at 2:50 PM Pine W wrote: > > > Some of us use the same 2FA for Phabricator as for on wiki accounts. > Should > > the 2FA reset apply to all Wikimedia 2FAs that could be used for > > Phabricator, or only those that actually have been used for Phabricator? > > > > Hi Pine, > > Phabricator has its own 2fa system that is separate from that of your wiki > account 2fa. > > You may be using the same authenticator application on your phone, but > there are separate accounts/codes for your wiki account and for your > Phabricator account. > > tl;dr: this only affects your Phabricator 2fa token, no other tokens. > > Best, > > Greg > > -- > | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | > | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D | > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
On Thu, Jan 16, 2020 at 2:50 PM Pine W wrote: > Some of us use the same 2FA for Phabricator as for on wiki accounts. Should > the 2FA reset apply to all Wikimedia 2FAs that could be used for > Phabricator, or only those that actually have been used for Phabricator? > Hi Pine, Phabricator has its own 2fa system that is separate from that of your wiki account 2fa. You may be using the same authenticator application on your phone, but there are separate accounts/codes for your wiki account and for your Phabricator account. tl;dr: this only affects your Phabricator 2fa token, no other tokens. Best, Greg -- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D | ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 14 January 2020 security incident on Phabricator
Hi David, Thanks for the information. Some of us use the same 2FA for Phabricator as for on wiki accounts. Should the 2FA reset apply to all Wikimedia 2FAs that could be used for Phabricator, or only those that actually have been used for Phabricator? Is there a public ticket that people can watch for updates and where public questions may be asked? Pine ( https://meta.wikimedia.org/wiki/User:Pine ) On Thu, Jan 16, 2020, 13:25 David Sharpe wrote: > > > Hello, > > On 14 January 2020, staff at the Wikimedia Foundation discovered that a > data file exported from the Wikimedia Phabricator installation, our > engineering task and ticket tracking system, had been made publicly > available. The file was leaked accidentally; there was no intrusion. We > have no evidence that it was ever viewed or accessed. The Foundation's > Security team immediately began investigating the incident and removing the > related files. The data dump included limited non-public information such > as private tickets, login access tokens, and the second factor of the > two-factor authentication keys for Phabricator accounts. Passwords and > full login information for Phabricator were not affected -- that > information is stored in another, unaffected system. > > The Security team has investigated and assesses that there is no known > impact from this incident. However, out of an abundance of caution, we are > resetting all Two-Factor Authentication keys for Phabricator and > invalidating the exposed login access tokens. Additionally, we continue to > encourage people to engage in online security best practices, such as > keeping your software updated and resetting your passwords regularly. > > The Foundation will continue to investigate this incident and take steps > to prevent it from occurring again in the future. In the meantime, > Phabricator is online and functioning normally. We regret any inconvenience > this may have caused and will provide updates if we learn of any further > impact. > > > Respectfully, > > David Sharpe > Senior Information Security Analyst > Wikimedia Foundation > > > > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] 14 January 2020 security incident on Phabricator
Hello, On 14 January 2020, staff at the Wikimedia Foundation discovered that a data file exported from the Wikimedia Phabricator installation, our engineering task and ticket tracking system, had been made publicly available. The file was leaked accidentally; there was no intrusion. We have no evidence that it was ever viewed or accessed. The Foundation's Security team immediately began investigating the incident and removing the related files. The data dump included limited non-public information such as private tickets, login access tokens, and the second factor of the two-factor authentication keys for Phabricator accounts. Passwords and full login information for Phabricator were not affected -- that information is stored in another, unaffected system. The Security team has investigated and assesses that there is no known impact from this incident. However, out of an abundance of caution, we are resetting all Two-Factor Authentication keys for Phabricator and invalidating the exposed login access tokens. Additionally, we continue to encourage people to engage in online security best practices, such as keeping your software updated and resetting your passwords regularly. The Foundation will continue to investigate this incident and take steps to prevent it from occurring again in the future. In the meantime, Phabricator is online and functioning normally. We regret any inconvenience this may have caused and will provide updates if we learn of any further impact. Respectfully, David Sharpe Senior Information Security Analyst Wikimedia Foundation ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l