Wikipedia's security hole

**Any administrator on Wikipedia can run any Javascript code in all the visitors’ browsers. On the wiki for the English language [ref]en.wikipedia.org[/ref], the number of people with that power is currently 1458.[ref]http://en.wikipedia.org/wiki/Wikipedia:List_of_administrators[/ref]**

And many of these people are people with no name. I’m not saying they do anything harmful. I know many of them to be of the most honest kind.

But they can[ref]I have admin status on the Nynorsk Wikipedia, and fall into the category of people who can edit Javascripts that can run in the visitor’s browser on that Wikipedia.[/ref].

I’m not going into details about any potential downsides to this, either. Wikipedia explains it best itself.

The  edits to the Wikipedia Javascripts end up in the same log as the edits to Bob Dylan’s article.

But these are edits from trusted people, and being computer code not readable by the common man, they are more likely to enjoy a longer life before deleted.

And according to this very old page, Wikipedia had in 2007 more than 2 500 page visits per second. So even a short lived Javascript hack could run on many computers.

So – all the administrators in Wikipedia have this power. Getting admin status in Wikipedia do require some serious work,  you would have to write articles or provide other serious contributions. But with a one factor authentication scheme and a very lenient password policy, one could imagine that admin accounts would slip into the hands of people with less than ideal motives.

I’m not saying it has happened.

But it could.