Jump to content

"Cloudbleed"


Recommended Posts

Posted (edited)

Just a heads up, Google researchers discovered and reported a security flaw with Cloudflare, a widely used CDN, which made it possible for sites to leak password information (and other critical data).  No known malicious attacks have been reported as it was patched very quickly, however there is a possibility your password could have been leaked and that someone was listening when it was.  As a precaution it is highly recommended you change your password if you use an account on any of the sites listed in the following zip: https://github.com/pirate/sites-using-cloudflare/archive/master.zip This is potentially as serious as the heartbleed bug last year, major domains affected include: reddit.com, patreon.com, bitpay.com, okcupid.com, zendesk.com, namecheap.com, tfl.gov.uk, stackoverflow.com, 1password.com, jquery.com, discordapp.com, change.org, fanpop.com, gametracker.com, etc.  Over 4.2 million known sites were affected.  If you happen to host a website which uses CloudFlare, make sure to warn your customers and recycle all certificates and cookie authentication etc.

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

 

Keep in mind not all sites were necessarily affected, it's just possible that they could be.  Check with site owners if you want to be sure (or just change your password, since such things should be done regularly anyway).

@@Caelum jkhub.org is listed as an affected site, so everyone should probably change their passwords just in case.  I doubt anyone was listening, but you never know.  Caelum says on discord that, "JKH is completely unaffected by this."  Apparently it doesn't use cloudflare for anything, but resolving the domain name.

Also, Google demonstrated and showed that SHA-1 is broken (just like MD5 has been for several years), so if you're encrypting anything relying on SHA-1 you better upgrade to SHA-256 or another better encryption scheme.  https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Edited by Darth Futuza
Bek and Sentra like this

JKG Developer

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...