Stewards' noticeboard - Meta-Wiki (original) (raw)
From Meta, a Wikimedia project coordination wiki
 |
SpBot archives all sections tagged with {{Section resolved|1=~~~~}} after 2 days and sections whose most recent comment is older than 30 days. |
|---|
I talked about this in the Wikimedia Community Discord, and I was directed here by a steward (@AntiCompositeNumber:). Apparently 2 years ago the Turkish Wikipedia added a script to its common.js that monitors the browsers of every Wikipedia reader, logged in or otherwise, and publicly reports changes to the HTML using the "inspect element" tool of the browser. Here's the script, and here's the frankly way too short discussion in trwiki about its implementation.
I found out about this after another user tried to talk about this in the Turkish Wikipedia's village pump, but it was reverted as a "troll" just a few hours later. I tried it to see if it was true after reading about its reverted discussion. I was threatened with a block for this experiment, so I did not continue. Thanks for your attention. Betseg (talk) 23:07, 10 April 2026 (UTC)Reply
To add a bit more context here, the script causes the user to make an edit on a report page if the user uses the console to edit their username specifically for the purposes of impersonating an administrator. Apparently there has been a problem with users using the console to change the username and then take screenshots for use off-wiki. Would appreciate someone a bit more technically minded confirming exactly how the script does that and if it is violating user privacy in doing so - at a glance I don't see anything myself. – Ajraddatz (talk) 23:49, 10 April 2026 (UTC)Reply
The primary problem I see is that this script is causing automated revisions to be published under the logged-in user account without an intentional action to publish. As a result, a revision is attributed to that user and licensed under CC BY-SA, undermining the expectation of informed consent. This does not appear to require emergency intervention, as the script does not appear to capture or publish any sensitive information (such as browser or OS data). This seems like an inappropriate use of common.js and is trivial for bad actors to bypass. I suggest this project look into using AbuseFilter or other server-side mechanisms to log suspicious edits instead. — xaosflux Talk 00:40, 11 April 2026 (UTC)Reply
I'm not sure that the abusefilter would work here, as there are no edits that could be flagged. I agree generally with the concern around forcing the user to publish an edit. However if WMF legal has already reviewed I'm not sure what else we would be able to do here, other than nudging the community to make changes or re-evaluate the need for the script. – Ajraddatz (talk) 03:21, 11 April 2026 (UTC)Reply
Ah ok, so these are people that aren't even attempting to publish a revision - that are then being tricked in to publishing a revision without being show and agreeing to the TOU and Copyright notice - that seems like an issue itself. Not sure if that specific concern was brought up to legal. — xaosflux Talk 13:51, 11 April 2026 (UTC)Reply
This is not a security problem. If interface admins want to do weird stuff they will. If the trwiki community is OK with what that script is doing I don't see a problem. I would personally avoid doing such things, but hey, some LTA are weird and dumb so maybe that works. I mean this should only work once. Nux (talk) 22:18, 12 April 2026 (UTC)Reply
Read WMF Legal's comment here: [1]. Nemoralis (talk) 02:43, 11 April 2026 (UTC)Reply
So is blocking users for editing their local HTML, and threatening to block users and calling them a troll for trying to start a discussion about this, ok? Betseg (talk) 05:26, 2 May 2026 (UTC)Reply
Imagine User:"A" controls User:"A alt", and it's unambiguous, e.g. each account has a userbox saying "This is the same user as [other username]". The account owner then decides to switch the accounts, e.g. "A" becomes "A old" and "A alt" becomes "A". Are there any technical reasons this couldn't happen? And if it's technically doable, is it something that would be considered, assuming the circumstances weren't inappropriate?
Context — en:w:WP:VPT#Unable to update or remove email address involves someone who's concerned about getting locked out of his account, due to an inability to use his account's email address. I've suggested creating an alt account, and if he gets locked out, asking for this kind of round-robin account renaming. Nyttend (talk) 02:25, 7 May 2026 (UTC)Reply
While the software will permit overriding the username for a prior account conflict, this is just a bad practice. Someone who is concerned about being locked out should set up TOTP AND store their scratch codes, AND consider adding additional authenticators. They can also change their email recovery address anytime they change email providers. They should not rely on emailauth in this user story. They may also want to publish a cryptographic proof, that the staff could use should they need a manual account recovery. — xaosflux Talk 20:44, 10 May 2026 (UTC)Reply