Wikipedia was forced into read-only mode after a classic XSS worm compromised admin accounts. Let's unpack this dumpster fire of jQuery and PHP memes.
Just when you thought XSS worms were a relic of the MySpace era, Wikipedia gets body-slammed by a piece of JavaScript hiding behind jQuery. Imagine trying to look up some obscure software engineering concept, only to be greeted by a glaring red "Read-only mode" banner.
Yep, Wikimedia Foundation had to lock down the entire internet's encyclopedia because a bunch of admin accounts got massively compromised. Let's unpack this glorious dumpster fire.
For those who missed the chaotic status updates, Wikipedia basically had to revoke write access for everyone. The culprit? An old-school Cross-Site Scripting (XSS) worm.
The payload somehow managed to inject itself into the global MediaWiki:Common.js page (and User:Common.js as a fallback). Once a user loaded the infected script, it executed a wild sequence of events:
Special:Nuke to silently delete 3 random articles from the global namespace, plus another 20 using the action=delete endpoint.The dev community's reaction has been a mix of pure nostalgia and cynical tech-bashing.
1. The "Script Kiddie" Theory
Security sleuths quickly noticed the worm tried to load an additional XSS script from basemetrika.ru. The hilarious part? That domain doesn't even exist (NXDomain response). This sparked debates on whether it's a script kiddie who messed up their payload, or if the worm was hallucinated by an AI that just made up a fake URL.
2. The Missed Opportunity As one pragmatic dev pointed out: If you have a self-replicating XSS worm running in the browsers of Wikipedia admins, why just vandalize articles? They could have easily harvested credentials via browser autofill. A massive credential leak would be infinitely worse. Instead, the attacker chose chaos and 5000px images.
3. The Obligatory PHP Bashing It wouldn't be a MediaWiki drama without someone dragging PHP through the mud. One commenter summed it up perfectly: "Here before someone says that it's because MediaWiki is written in PHP - the language where 'return flase' causes it to return true."
4. Peak Wikipedia Humor Even locked-out editors couldn't resist a joke: "How do we know Wikipedia is down? Has this been published in a Reliable Source?"
Jokes aside, there's a serious lesson here. MediaWiki has historically allowed high-level users to embed custom JS for UI tweaks. From a security standpoint, that's like handing out loaded shotguns at a party.
As developers, let this be your daily reminder: Never trust user input. It doesn't matter if they are a regular user, an Admin, or the CEO. Sanitize your inputs, implement strict Content Security Policies (CSP), and for the love of god, don't execute raw user-provided strings. Otherwise, you might be the one writing an incident report at 3 AM.
Sources: