Join us on the Linux Gaming community on Lemmy, the federated open source alternative to Reddit.

Security: You might want to change passwords on sites that use Cloudflare

By - | Views: 12,813
Not gaming news, but still important to get across. Cloudflare has written a blog post detailing a security issue that was identified which is important to know about.

Note: GOL is not affected, as we don't use Cloudflare, however, a lot of other sites do.

The most important bit to know about:
QuoteIt turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.


You can find more info on this github page. Take that list with a pinch of salt though, since it's early days and it needs to be cleared up for sites that were definitely affected.

Also see the actual blog post from Cloudflare here.

I do suggest my patrons on Patreon change their passwords. To be clear, this is not an issue with Patreon, but a Cloudflare issue affecting many sites.

Thanks again to mphuZ on Twitter for letting me know. Article taken from GamingOnLinux.com.
Tags: Misc
5 Likes , Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG and Humble Store. See more here.
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
The comments on this article are closed.
6 comments

Levi 24 Feb, 2017
QuoteYou can find more info on this github page.
Take this list with a grain of salt. It is still in development and contains many sites that were not affected by this leak. The author took dns records at face value instead of checking the actual web server used.

The only vulnerable sites where those using the cloudflare web proxy feature. DNS only site's are safe.

Changing passwords is still never a bad idea, especially if you reuse passwords on multiple sites.


QuoteNote: GOL is not affected, as we don't use Cloudflare, however, a lot of other sites do.
Not anymore at least :P
Liam Dawe 24 Feb, 2017
Quoting: Levi
QuoteNote: GOL is not affected, as we don't use Cloudflare, however, a lot of other sites do.
Not anymore at least :P
Well, we haven't used them for quite some time and a long time before this was an issue, so we are in the clear :)
km3k 24 Feb, 2017
Quoting: Levi
QuoteYou can find more info on this github page.
Take this list with a grain of salt. It is still in development and contains many sites that were not affected by this leak. The author took dns records at face value instead of checking the actual web server used.

The only vulnerable sites where those using the cloudflare web proxy feature. DNS only site's are safe.

Changing passwords is still never a bad idea, especially if you reuse passwords on multiple sites.
Not anymore at least :P

It should be noted that the authors of that GitHub repo are removing from the list DNS-only sites and other sites confirmed not to be affected. See the commit history for details.
Levi 24 Feb, 2017
Quoting: km3kIt should be noted that the authors of that GitHub repo are removing from the list DNS-only sites and other sites confirmed not to be affected. See the commit history for details.

You are entirely correct. Just asked people double check and before shouting in the empty void of birds.
silmeth 24 Feb, 2017
More technical info about the incident (what kind of data leaked, what numbers, how and why, and how the issue was resolved and in which timeframe) can also be seen on the Google’s Project Zero issue about it.

Seems there is a chance it hasn’t been exploited yet, but as the data leaked to web crawlers, people do have leaked data cached (and may not even realize it yet), and that cached data may be used later.
Nyamiou 25 Feb, 2017
It's much more severe than just passwords. Basically everything you have been doing on those websites could have been leaked. People can use those data to blackmail you. And since the Google crawler managed to get this kind of data into their cache we can assume a lot of others did as well.
While you're here, please consider supporting GamingOnLinux on:

Patreon, Liberapay or PayPal Donation.

We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.
Livestreams & Videos
Community Livestreams