You can sign up to get a daily email of our articles, see the Mailing List page!

Security: You might want to change passwords on sites that use Cloudflare

Posted by , | Views: 11,339
Not gaming news, but still important to get across. Cloudflare has written a blog post detailing a security issue that was identified which is important to know about.

Note: GOL is not affected, as we don't use Cloudflare, however, a lot of other sites do.

The most important bit to know about:
QuoteIt turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.


You can find more info on this github page. Take that list with a pinch of salt though, since it's early days and it needs to be cleared up for sites that were definitely affected.

Also see the actual blog post from Cloudflare here.

I do suggest my patrons on Patreon change their passwords. To be clear, this is not an issue with Patreon, but a Cloudflare issue affecting many sites.

Thanks again to mphuZ on Twitter for letting me know. Article taken from GamingOnLinux.com.
5 Likes, Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG, Humble Store and Paradox Interactive. See more information here.
The comments on this article are closed.
Levi 24 February 2017 at 1:03 pm UTC
QuoteYou can find more info on this github page.
Take this list with a grain of salt. It is still in development and contains many sites that were not affected by this leak. The author took dns records at face value instead of checking the actual web server used.

The only vulnerable sites where those using the cloudflare web proxy feature. DNS only site's are safe.

Changing passwords is still never a bad idea, especially if you reuse passwords on multiple sites.


QuoteNote: GOL is not affected, as we don't use Cloudflare, however, a lot of other sites do.
Not anymore at least
liamdawe 24 February 2017 at 1:05 pm UTC
Levi
QuoteNote: GOL is not affected, as we don't use Cloudflare, however, a lot of other sites do.
Not anymore at least
Well, we haven't used them for quite some time and a long time before this was an issue, so we are in the clear
km3k 24 February 2017 at 1:11 pm UTC
Levi
QuoteYou can find more info on this github page.
Take this list with a grain of salt. It is still in development and contains many sites that were not affected by this leak. The author took dns records at face value instead of checking the actual web server used.

The only vulnerable sites where those using the cloudflare web proxy feature. DNS only site's are safe.

Changing passwords is still never a bad idea, especially if you reuse passwords on multiple sites.
Not anymore at least

It should be noted that the authors of that GitHub repo are removing from the list DNS-only sites and other sites confirmed not to be affected. See the commit history for details.
Levi 24 February 2017 at 1:22 pm UTC
km3kIt should be noted that the authors of that GitHub repo are removing from the list DNS-only sites and other sites confirmed not to be affected. See the commit history for details.

You are entirely correct. Just asked people double check and before shouting in the empty void of birds.
silmeth 24 February 2017 at 2:43 pm UTC
More technical info about the incident (what kind of data leaked, what numbers, how and why, and how the issue was resolved and in which timeframe) can also be seen on the Google’s Project Zero issue about it.

Seems there is a chance it hasn’t been exploited yet, but as the data leaked to web crawlers, people do have leaked data cached (and may not even realize it yet), and that cached data may be used later.
Nyamiou 25 February 2017 at 12:20 am UTC
It's much more severe than just passwords. Basically everything you have been doing on those websites could have been leaked. People can use those data to blackmail you. And since the Google crawler managed to get this kind of data into their cache we can assume a lot of others did as well.
While you're here, please consider supporting GamingOnLinux on Patreon, Liberapay or Paypal. We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Livestreams & Videos
Community Livestreams
  • Story Time: „The Book of Unwritten Tales“
  • Date:
See more!
Popular this week
View by Category
Contact
Latest Forum Posts