Code Vulnerability Located And Eliminated From Wikipedia Software

Posted: February 5, 2014 in Articles
Tags: , , ,

WikipediaWikipedia almost compromised due to a recent flaw found in open sources software.

When we think of Wikipedia, we don’t conjure images of dangerous page loads and deliberately misleading information. At worst, Wikipedia can provide you with some good information and some bad information. It’s really up to you to distinguish between the good and the bad. Even so, we wouldn’t necessarily characterize Wikipedia as “dangerous” in any way. But, the content of Wikipedia isn’t the only potentially dubious thing about the website. Recently, Wikipedia located and neutralized a harmful gap in their open-source code that could have been catastrophic for both the website and its millions of users.

The software used by Wikipedia (and other Wiki sites) is called “MediaWiki” and version 1.8 of that software had a glaring hole in security that could have been manipulated had it not been discovered and eliminated. The Wikimedia Foundation (the non-profit group that runs Wikipedia) along with the security firm Check Point found the loophole recently and quickly patched it up to avoid any potential dangers. The bug affected all version of MediaWiki from 1.8 onward and may have been present in earlier versions of the software. Luckily for most users of the website (or the software in general) the bug was fixed.

Wikipedia bug

The cause of the security issue was a remote-code execution flaw that could have allowed a malicious attacker to gain control of any website running with the MediaWiki software. The open-source code of the software leaves it susceptible to wholesale changes on the MediaWiki application server. Indeed, an attacker could have gained access remotely and executed shell code on the application. This could have also allowed them to gain access to user information. The vulnerability is being referred to as “CVE-2014-1610,” and has been found in WikiMedia’s Pdfhandler extension as well. This issue has also been resolved.

What the Vulnerability Means

While this particular vulnerability was squashed, it doesn’t mean that it couldn’t have had major implications on the MediaWiki software and the reliability of the Wikipedia service as a whole. If an attacker had gotten to the loophole in the code before WikiMedia and Check Point Security, then they could have controlled the servers that run the MediaWiki software (including those of Wikipedia.org). This control would have allowed them to inject malware that could have infected the computers of the millions of visitors who go to Wikipedia each day. This clearly would have been a major blow to one of the most respected websites on the internet.

This is only the third such vulnerability that Wikipedia has faced since 2006, and all three of them have been located and terminated before an attacker could get their hands at them. Even so, it underscores the importance of high-quality internet security, especially for websites that have a lot at stake. If Wikipedia had let the vulnerability go unnoticed, then it would have only been a matter of time before uses across the wiki universe were infected with malware or other viruses.

Open-source software is something that has been championed and is being increasingly used throughout the internet. It’s important for the good guys—the ones creating the software collectively—to understand where their vulnerabilities are and how to fix them if they should arise. One small misstep in the code and you could have a major issue on your hands. Thankfully for Wikipedia and their MediaWiki software, the problems were taken out before they had a chance to materialize.

Martin Scott is a software engineer and programming instructor. He has an expertise in open source software and Java Script.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s