CodeWalrus

CodeWalrus Website => Site Discussion => Site Discussion & Bug Reports => Topic started by: pimathbrainiac on February 24, 2017, 05:34:08 am

Title: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: pimathbrainiac on February 24, 2017, 05:34:08 am
Cloudflare has been compromised. It appears that someone has been exploiting a bug in Cloudflare to retrieve data in a manner similar to the heartbleed bug. Odds are, most of these sites have been affected, including other forums such as Omnimaga, so:

CHANGE YOUR PASSWORDS

(Incomplete) list of sites using Cloudflare: https://github.com/pirate/sites-using-cloudflare

Source: https://www.lifehacker.com.au/2017/02/cloudflare-cloudbleed-bug-exposes-sensitive-data-who-is-affected/
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: bb010g on February 24, 2017, 05:37:05 am
This is honestly a good time to change all of your passwords. No joke. Just set up password management software (if you want a solid free one, go with KeePass 2 (http://keepass.info/download.html) (highly recommend also installing the SimpleDatabaseBackup plugin (http://keepass.info/plugins.html#simpledbbackup))), get comfortable, and change them. I'm doing all of mine Saturday morning.
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: pimathbrainiac on February 24, 2017, 05:38:25 am
Indeed. The number of sites (potentially) affected is staggering, and that essentially means no duplicate password is safe.
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: Juju on February 24, 2017, 05:41:25 am
Yeah, things like that keeps happening, so guess we'll need to change our passwords rather often? Oh well.

Another thing to do, many sites offer two-factor authentication, you might use that as well.

Concerning CodeWalrus, we do use Cloudflare for our DNS, but we don't really use the other features, but I still changed the password as a precaution. Well, that and the fact my other sites are on that account and they're even more potentially vulnerable.

Oh, also on that note, SHA-1 has been cracked. So stop using SHA-1.
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: DJ Omnimaga on February 24, 2017, 05:55:15 am
This is bad. And CW is hosted on one of the affected site. I was gonna post a news about this after bb010g notified me but I wanted juju to change the site password first. Thankfully, as Juju said, CW doesn't use any Cloudflare service other than DNS, so I am unsure if it's affected as much as Omnimaga, for example.
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: bb010g on February 24, 2017, 06:06:44 am
In this case, I would just assume every site on Cloudflare/using Cloudflare sites is vulnerable, which approximates to all of your passwords. (Cloudflare is pretty popular, and they only need to get one good high-level in before they've got other exploits inside sites.)
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: Juju on February 24, 2017, 06:17:13 am
I have a bunch of vulnerable sites that uses the one feature that has been vulnerable on the CW account, so yeah.

Just saw a few of other sites (like Discord) telling their users to change their passwords, so yeah, you never know. Nothing is infallible and crypto can and will be cracked given enough CPU/GPU time. These technologies change crazy fast and it's kinda hard to keep up, especially on that field.
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: DJ Omnimaga on February 24, 2017, 06:18:06 am
The crazy thing, though, is how many sites are affected. If you got accounts on hundreds of sites and forgot many of them then it's kinda problematic O.O
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: Streetwalrus on February 24, 2017, 09:24:48 am
CW is NOT affected, as we don't use cloudflare's reverse proxy services, only their DNS. That holds true even if DO uses them.
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: Sorunome on February 24, 2017, 06:27:36 pm
On Omniamga if you had JS enabled and used the top login bar then your password was actually impossible to be compromised due to the additional password protection methods provided by my bcrypt mod, more on that here: https://ourl.ca/22448/405563
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: DJ Omnimaga on February 25, 2017, 05:05:12 am
Actually, CW uses that mod too so even if we used Cloudflare this would have protected us as much as on Omni. Thanks for that mod by the way. Despite the horror show that was the replies you got for that mod on SMF (two of their team members seem to think that paper, VHS tapes and Sears are the future in terms of innovation, if you get what I mean, and they censor or lash out at anyone suggesting otherwise), it will help in the long run considering how long it might take before SMF 2.1 comes out and it's better to be safe than sorry.
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: gameblabla on February 26, 2017, 06:17:58 pm
f*** cloudflare seriously.
I hate it because they unfairly blocked Tor users for no reasons and i warned people it was a man-in-the-middle service that could go against them
should it be compromised.
And here we are...

I urge all websites to get rid of it (including codewalrus and omnimaga).
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: p2 on February 26, 2017, 07:03:58 pm
codewalrus doesnt use it, only Omnimaga does. But otherwise I agree :)
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: Sorunome on February 26, 2017, 07:05:37 pm
codewalrus doesnt use it, only Omnimaga does. But otherwise I agree :)
CW uses it for DNS, though......

@Juju why is that even the case?
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: DJ Omnimaga on February 26, 2017, 07:30:41 pm
I forgot why myself. IIRC juju had a good readon at the time but it has been 2 years

Cloudfkare is only good if you're getting frequently hit by DDoS attacks
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: Juju on February 26, 2017, 11:26:40 pm
Pretty much. We can always enable it in case we need DDoS protection and/or we make the front page of Reddit or something, or any big file that needs a CDN.

Which I hope might never happen. (Well I'd like to make the front page of Reddit, but I hope it won't strain the server.)
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: Unicorn on February 28, 2017, 08:02:58 am
Quick! Make DoomCE so we can be on reddit, Mateo! :P So do you guys suggest changing our password here or what?
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: DJ Omnimaga on March 05, 2017, 05:41:59 am
@Unicorn if a very big CW game (particularly a mainstream name like Doom, Mario, whatever) makes it on Reddit front page (eg if you post it there) or the top of a sub-reddit, make sure to warn the CW staff via PM so that we can make the entire staff global moderator :P (*glares at the nDoom incident*)
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: c4ooo on March 06, 2017, 01:45:45 am
@Unicorn if a very big CW game (particularly a mainstream name like Doom, Mario, whatever) makes it on Reddit front page (eg if you post it there) or the top of a sub-reddit, make sure to warn the CW staff via PM so that we can make the entire staff global moderator :P (*glares at the nDoom incident*)
Me wants storytime :3
/me runs
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: DJ Omnimaga on March 06, 2017, 03:52:02 am
nDoom made front page on many huge gaming news websites in Feb 2011 then again in Mar 2011. It also made it to EncyclopediaDramatica forum. The result is that a troll invasion ensued on Omnimaga and it almost went out of control (although the way some veterans of another site intervened near the end, after most of the problem had been solved, didn't help).

Also I recall Omnimaga hosting provider getting DDoS'ed multiple times shortly after the troll invasion and somewhere in early 2012. Not sure if it was linked to nDoom going viral, though. If anything, it would have been much worse if gaming sites had linked directly to Omnimaga first rather than my Youtube video (which got 500,000 views in a week).
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: Unicorn on March 09, 2017, 08:13:15 am
I hope you had that video monetized :trollface: But yeah, it would probably be a good idea to warn admins :P
Title: Re: Cloudflare Vulnerability Found - Time to Change Passwords
Post by: DJ Omnimaga on March 09, 2017, 08:22:32 am
Monetization did not exist on Youtube back then. Plus even if it did, in 2012-13 or so my video was wrongly claimed by some Belgian TV network for a few months until the copyright claim was revoked, so I would have lost a lot of my money. Besides, I am unsure if I would be allowed to make ad money on a video about a game I did not make. :P