Readit NewsA certain number of "community" admins maintain that right to this day after it was realized this was a massive security hole.
> Based on the fact user scripts are globally disabled now I'm guessing this was a vector.
Browsers still allow for user scripts via tools like TamperMonkey and GreaseMonkey, and that's not enforceable (and arguably, not even trivially visible) to sites, including Wikipedia.
As I say that out loud, I figure there's a separate ecosystem of Wikipedia-specific user scripts, but arguably the same problem exists.
You can also upload scripts to be shared and executed by other users.
Unfortunately, Wikipedia is run on insecure user scripts created by volunteers that tend to be under the age of 18.
There might be more editors trying to resume boost if editing Wikipedia under your real name didn't invite endless harassment.
The Wikipedia community takes a cavalier attitude towards security. Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review. They added mandatory 2FA only a few years ago...
Prior to this, any admin had that ability until it was taken away due to English Wikipedia admins reverting Wikimedia changes to site presentation (Mediaviewer).
But that's not all. Most "power users" and admins install "user scripts", which are unsandboxed JavaScript/CSS gadgets that can completely change the operation of the site. Those user scripts are often maintained by long abandoned user accounts with no 2 factor authentication.
Based on the fact user scripts are globally disabled now I'm guessing this was a vector.
The Wikimedia foundation knows this is a security nightmare. I've certainly complained about this when I was an editor.
But most editors that use the website are not professional developers and view attempts to lock down scripting as a power grab by the Wikimedia Foundation.
No one doxxing others in that particular clique is going to do it from anything other than a burner account.
This is incorrect.
many do it with accounts linked to their real onwiki profiles. jps is an example and I provided a link to unambiguous doxxing:
https://wikipediocracy.com/forum/viewtopic.php?f=38&t=14172
They've been doing it since 2016 when they started an" alt-right identification thread":
https://wikipediocracy.com/forum/viewtopic.php?f=38&t=8031
Others use accounts linked to their onwiki personas to ask for doxx. e.g. AndyTheGrump is a well-known user who posts in the "alt-right identification thread" about someone they dislike and getting a quick response. Here's AndyTheGrump asking for doxx on a user named "BlueGraf".
https://wikipediocracy.com/forum/viewtopic.php?f=38&t=8031&p...
Quickly followed up with that individuals full name and employment.
And many editors/admins participate in those doxxing threads to gawk or have fun under their real usernames.
Deleted Comment
Unsurprisingly, "Wikipedianon" is a hit-and-run profile created just for this post, AFAICT.
I dont want a world in which Trump regulates Wikipedia but pretending it's sunshine and rainbows is a joke at this point.
And the person you're replying to is strawmanning. I never said Beeblebrox doxxed anyone, just that they leaked secret information on a doxxing forum in violation of Wikipolicy and possibly privacy law.
i know that Beeblebrox did not doxx anyone and I said that in my comment. my point is leaking information to a doxxing forum sends the wrong message and is dangerous.
Maybe you should create an account and look at the "Wikimedian Folks Too Embarrassing for Public Viewing" forum and get back to me. Or do something about it before the Trump administration uses this as an excuse to censor enwiki. Either way here are some excerpts if you don't want to.
From the first page, here's an active editor (iii, known as jps or ජපස) doxxing someone about UFOs. I took out the names to be polite but it's all there:
https://wikipediocracy.com/forum/viewtopic.php?f=38&t=14172
"Is [username 1] (T-C-L) an alt account of [username 2] (T-C-L)?
For those who are not aware, [username2] is the name of an account used by one [redacted] on various platforms up until about 2024 when he more or less abandoned them. That account also was involved in the ongoing game of accusing [redacted] (T-H-L) of being [redacted] (T-C-L) which is about as fairly ludicrous an attempt at matching a Wikipedia username as I've ever seen.
Anyway, I feel like maybe he thought "If [__] can do it, so can I." And maybe that's the origin of the VPP.
Oh, this is about UFOs. Yeah, I'm in the shit. Maybe someone can link to some other stuff for you to read, but I just want to drop this here because I have nowhere else I get to speculate on these matters and everyone loves a good conspiracy theory data dump from time to time "
Here's the thread "Who is Wikipedia editor i.am.qwerty"
https://wikipediocracy.com/forum/viewtopic.php?f=38&t=13821
"I.am.a.qwerty (T-C-L) gathered up a bunch of those articles and some earlier material to create Wikipedia and antisemitism..."
It goes on:
"But who is I.am.a.qwerty? Let's suppose, just for the sake of argument, that I.a.am.a.qwerty is a PhD student named [real name]. Specifically, this [real name]:"
"[real name] is a PhD candidate [major] at [university name]. He received his BA (Hons) in [major] from [university]. Previously [real name] received his rabbinical ordination from the [other school] in [location] in [year]. [real name] is also the [job title] at [organization]."
True, but there aren't very many interface administrators. It looks like there are only 137 right now [0], which I agree is probably more than there should be, but that's still a relatively small number compared to the total number of active users. But there are lots of bots/duplicates in that list too, so the real number is likely quite a bit smaller. Plus, most of the users in that list are employed by Wikimedia, which presumably means that they're fairly well vetted.
[0]: https://en.wikipedia.org/w/api.php?action=query&format=json&...
I'm sure there are Google engineers who can push changes to prod and bypass CI but that isn't a normal way to handle infra.