Alternatively, join us on Discord.

Cloudflare Vulnerability Found - Time to Change Passwords

Started by pimathbrainiac, February 24, 2017, 05:34:08 am

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

pimathbrainiac

Cloudflare has been compromised. It appears that someone has been exploiting a bug in Cloudflare to retrieve data in a manner similar to the heartbleed bug. Odds are, most of these sites have been affected, including other forums such as Omnimaga, so:

CHANGE YOUR PASSWORDS

(Incomplete) list of sites using Cloudflare: https://github.com/pirate/sites-using-cloudflare

Source: https://www.lifehacker.com.au/2017/02/cloudflare-cloudbleed-bug-exposes-sensitive-data-who-is-affected/
Well, I'm bach here too!

bb010g

This is honestly a good time to change all of your passwords. No joke. Just set up password management software (if you want a solid free one, go with KeePass 2 (highly recommend also installing the SimpleDatabaseBackup plugin)), get comfortable, and change them. I'm doing all of mine Saturday morning.

pimathbrainiac

Indeed. The number of sites (potentially) affected is staggering, and that essentially means no duplicate password is safe.
Well, I'm bach here too!

Juju

Yeah, things like that keeps happening, so guess we'll need to change our passwords rather often? Oh well.

Another thing to do, many sites offer two-factor authentication, you might use that as well.

Concerning CodeWalrus, we do use Cloudflare for our DNS, but we don't really use the other features, but I still changed the password as a precaution. Well, that and the fact my other sites are on that account and they're even more potentially vulnerable.

Oh, also on that note, SHA-1 has been cracked. So stop using SHA-1.
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

DJ Omnimaga

This is bad. And CW is hosted on one of the affected site. I was gonna post a news about this after bb010g notified me but I wanted juju to change the site password first. Thankfully, as Juju said, CW doesn't use any Cloudflare service other than DNS, so I am unsure if it's affected as much as Omnimaga, for example.

bb010g

In this case, I would just assume every site on Cloudflare/using Cloudflare sites is vulnerable, which approximates to all of your passwords. (Cloudflare is pretty popular, and they only need to get one good high-level in before they've got other exploits inside sites.)

Juju

I have a bunch of vulnerable sites that uses the one feature that has been vulnerable on the CW account, so yeah.

Just saw a few of other sites (like Discord) telling their users to change their passwords, so yeah, you never know. Nothing is infallible and crypto can and will be cracked given enough CPU/GPU time. These technologies change crazy fast and it's kinda hard to keep up, especially on that field.
Read Zarmina!
YUKI-CHAAAANNNN
In the beginning there was walrii. In the end there will be walrii. All hail our supreme leader :walrii: --Snektron



if you wanna throw money at me and/or CodeWalrus monthly it's here

DJ Omnimaga

The crazy thing, though, is how many sites are affected. If you got accounts on hundreds of sites and forgot many of them then it's kinda problematic O.O

Streetwalrus

CW is NOT affected, as we don't use cloudflare's reverse proxy services, only their DNS. That holds true even if DO uses them.

Sorunome

On Omniamga if you had JS enabled and used the top login bar then your password was actually impossible to be compromised due to the additional password protection methods provided by my bcrypt mod, more on that here: https://ourl.ca/22448/405563
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

DJ Omnimaga

Actually, CW uses that mod too so even if we used Cloudflare this would have protected us as much as on Omni. Thanks for that mod by the way. Despite the horror show that was the replies you got for that mod on SMF (two of their team members seem to think that paper, VHS tapes and Sears are the future in terms of innovation, if you get what I mean, and they censor or lash out at anyone suggesting otherwise), it will help in the long run considering how long it might take before SMF 2.1 comes out and it's better to be safe than sorry.

gameblabla

f*** cloudflare seriously.
I hate it because they unfairly blocked Tor users for no reasons and i warned people it was a man-in-the-middle service that could go against them
should it be compromised.
And here we are...

I urge all websites to get rid of it (including codewalrus and omnimaga).

p2

codewalrus doesnt use it, only Omnimaga does. But otherwise I agree :)
Anyway war sucks. Just bring us your food instead of missiles  :P ~ DJ Omnimaga (11.10.2016 20:21:48)
if you cant get a jframe set up, draw stuff to it, and receive input, i can only imagine how horrible your game code is _._   ~ c4ooo (14.11.2016 22:44:07)
If they pull a Harambe on me tell my family I love them ~ u/Pwntear37d (AssangeWatch /r/)
make Walrii great again ~ DJ Omnimaga (28.11.2016 23:01:31)
God invented the pc, satan the smartphone I guess ~ p4nix (16.02.2017 22:51:49)

Sorunome

Quote from: p2 on February 26, 2017, 07:03:58 pm
codewalrus doesnt use it, only Omnimaga does. But otherwise I agree :)
CW uses it for DNS, though......

@Juju why is that even the case?
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

DJ Omnimaga

I forgot why myself. IIRC juju had a good readon at the time but it has been 2 years

Cloudfkare is only good if you're getting frequently hit by DDoS attacks

Powered by EzPortal