Wikia

Community Central

Comments35

The Wikia Security Manifesto

In the last two years, Wikia has had at least 4 major security breaches; and those are just the ones that we, the users, know about. Because of these incidents, Wikia has finally started giving a crap about security. There have been some major improvements. However, security is still significantly lacking here on Wikia. Many issues still exist.

Of the MANY security issues that still exist, here are my personal favorites:

  • HTTPS is still not supported, despite being in alleged development for years.
  • The code audits are not properly performed. I have seen insecure code pass.
  • Files are not scanned when uploaded, despite the possibility of a malicious payload.
  • Policy is inconsistently enforced.
  • External resources are loaded over insecure means, when secure means are freely available.

With these issues, I am not saying that Wikia doesn't care about security. On the contrary, the introduction of the Code Review system, and the removal of Verbatim show that Wikia is clearly putting their best effort forward, and we all appreciate that.

However, Wikia's best effort simply isn't good enough. The work Wikia is capable of expending on looking for and addressing security issues is simply less than the amount of work required to deal with the issues at hand. They are not unwilling, they are unable. More needs to be done.

With that in mind, knowing that Wikia is unable to provide a reasonable level of security, I call upon my fellow users to help bridge the gap in Wikia's security. Nobody else is able and willing to bridge the gap.

Here's some basic things you can do to protect yourselves and others on Wikia.

  • At least glance at the URL bar when you go to a page, and make sure you're not on a phishing site. Compromised accounts inconvenience everyone, due to potential for sabotage and malware injection.
  • When you load external resources, at least TRY to load them in a secure manner. Use HTTPS instead of HTTP whenever possible. Use IRCS instead of IRC. Never use Telnet. This also applies to outbound links.
  • If/When you find a security issue with Wikia, report it as appropriate. Alert Wikia at Special:Contact/security. If it's with a third party script, tell the scriptwriter.
  • Have a security policy. The biggest threat to security on Wikia is stupidity. Don't allow your users to do things that jeopardize everyone's safety and privacy. Don't let people hand out promotions like pens at a convention. Yes, people do this; and yes, they should be ashamed of themselves.
  • Glance over Lua code to make sure it's stable. It's possible to make unstable code that can interfere with pages.
  • Double check Javascript before you install it. Yes wikia has a vetting process for it now, but they've missed things before, so be careful.

With the basics out of the way, I call upon my fellow users to do something else: Get creative. Start thinking about all the things that could be a threat. Build tools to prevent those threats or at least detect them. http://dev.wikia.com lets users publish code. Wikia, in its truest form, is about shared creativity. So be creative about how we can defend ourselves, and share your creations. Wonder "what would happen if someone did this instead of what they're supposed to do", This is how heartbleed was discovered. There is infinite potential for suffering, but there's infinite potential for protection and joy. There's potential for discovery and wonder. So harness the creativity that brought you here, and defend yourself and your fellow users.

USERS OF WIKIA, UNITE!

Around Wikia's network

Random Wiki