Author Topic: Cloudflare bug  (Read 5436 times)

Offline Duki3003

  • Admin
  • Member
  • Posts: 4855
Cloudflare bug
« on: February 24, 2017, 10:02:44 pm »
A bug was recently discovered with Cloudflare, which BakaBT and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your BakaBT password.

You should similarly change your security credentials for other websites that use Cloudflare (see link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.
The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between 13th Feb and 18th Feb when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so it’s important that you take appropriate precautions to protect yourself.

Here are some links for further reading on the Cloudflare bug:
TechCrunch article: https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/
List of sites possibly affected by the bug: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

-BakaBT staff
« Last Edit: February 24, 2017, 10:06:07 pm by Duki3003 »

Offline jiop

  • Member
  • Posts: 342
  • Just a BOT...
    • Anime Portal
Re: Cloudflare bug
« Reply #1 on: February 24, 2017, 11:27:33 pm »
https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/

Quote
"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines"

Cloudflare researchers have identified 770 unique URIs that contained leaked memory and were cached by Google, Bing, Yahoo, or other search engines. The 770 unique URIs covered 161 unique domains. Graham-Cummings said Thursday's disclosure came only after the leaked data was fully purged with the help of the search engines.
Google cache, however, appeared to show data remained exposed by the bug.
« Last Edit: February 24, 2017, 11:33:05 pm by jiop »

Offline likcoras

  • Member
  • Posts: 1
Re: Cloudflare bug
« Reply #2 on: February 25, 2017, 02:02:29 am »
What about passkeys, for torrents? Is it recommended to change those as well?

Offline Mistgun_Zero

  • Member
  • Posts: 6450
  • Idol~chan
Re: Cloudflare bug
« Reply #3 on: February 25, 2017, 06:30:06 am »
Oh boi. Can we request user name change as well? I would like to take this opportunity to start over new. I need to restructure most of my pass and ID in a lot of places as is.

Homu-Homu is troubled

Online megido-rev.M

  • Member
  • Posts: 21267
  • Come now, it's nothing special.
Re: Cloudflare bug
« Reply #4 on: February 25, 2017, 08:00:53 am »
I was thinking of lengthening my password anyhow.
Quote
That's it! I've come up with a new recipe!

Offline Duki3003

  • Admin
  • Member
  • Posts: 4855
Re: Cloudflare bug
« Reply #5 on: February 25, 2017, 08:01:59 am »
What about passkeys, for torrents? Is it recommended to change those as well?
No need, but if you want you may always change it as well.

Oh boi. Can we request user name change as well? I would like to take this opportunity to start over new. I need to restructure most of my pass and ID in a lot of places as is.
Sorry, but no. The guidelines for username changes are unchanged.

Offline ridon428

  • Member
  • Posts: 1303
  • Dial Four-Two-Eight Toll Free!
    • Personal Site
Re: Cloudflare bug
« Reply #6 on: February 25, 2017, 08:40:15 am »
Oh boi. Can we request user name change as well? I would like to take this opportunity to start over new. I need to restructure most of my pass and ID in a lot of places as is.
Sorry, but no. The guidelines for username changes are unchanged.
Is security issue a valid reason for username change? I use ridon428 a lot on different sites. I don't plan to change it, though.

Offline Duki3003

  • Admin
  • Member
  • Posts: 4855
Re: Cloudflare bug
« Reply #7 on: February 25, 2017, 09:18:33 am »
Seriously? Usernames are not private and hidden, private information, if any information was compromised changing your password will suffice. Besides, username changes are handled manually with admin assistance and it is unfeasible that we will allow for massive username change requests.

Offline Krudda

  • Member
  • Posts: 10304
  • 私は 日本語 が 上手 じゃ ありません
    • My Anime List
Re: Cloudflare bug
« Reply #8 on: February 26, 2017, 01:58:50 am »
I found out about this roughly half an hour before this was posted. Due to the nature of API data, it is also recommended to change passwords on any sites you visit, even if they're unassociated with Cloudfare. Even more-so if you don't use adblock or similar.

Offline Tanis

  • Member
  • Posts: 3239
Re: Cloudflare bug
« Reply #9 on: February 26, 2017, 03:55:07 am »
First yahoo...now this?
Fuckin' aye!


Still, at least I use a different password for most of my stuff.
-Some sites I just don't give a fuck about so...yeah...feel free to 'hack' my 3 post account on some random site I haven't logged into in 5 years.
XD

Online megido-rev.M

  • Member
  • Posts: 21267
  • Come now, it's nothing special.
Re: Cloudflare bug
« Reply #10 on: February 26, 2017, 05:20:48 am »
Due to the nature of API data, it is also recommended to change passwords on any sites you visit, even if they're unassociated with Cloudfare.

How does that work?
Quote
That's it! I've come up with a new recipe!

Offline Krudda

  • Member
  • Posts: 10304
  • 私は 日本語 が 上手 じゃ ありません
    • My Anime List
Re: Cloudflare bug
« Reply #11 on: February 26, 2017, 06:35:02 am »
Don't ask me, its just something I read in a security report.
I assume its probably something to do with how you are tracked for ads and logged in at multiple sister sites (ex facebook, google+, twitter etc login)

Online megido-rev.M

  • Member
  • Posts: 21267
  • Come now, it's nothing special.
Re: Cloudflare bug
« Reply #12 on: February 26, 2017, 06:42:14 am »
I should be good then. I don't even use social media ;D.
Quote
That's it! I've come up with a new recipe!

Offline sneaker2

  • Member
  • Posts: 240
Re: Cloudflare bug
« Reply #13 on: February 26, 2017, 04:31:51 pm »
Oh boi. Can we request user name change as well? I would like to take this opportunity to start over new. I need to restructure most of my pass and ID in a lot of places as is.
That's why people use password managers with a unique random password for each site. Such databases get leaked all the time anyways.

Offline Kage x Ryuu

  • Member
  • Posts: 23
Re: Cloudflare bug
« Reply #14 on: March 06, 2017, 03:53:50 pm »
>.> i don't even remember my pass anymore, autofill ftw ._.

Offline Tiffanys

  • Member
  • Posts: 10254
  • real female girl ojō-sama
Re: Cloudflare bug
« Reply #15 on: March 22, 2017, 01:08:27 pm »
Meh... I cba to change my password on the literally thousands of sites I'm on that all use Cloudflare. I haven't even been all that active online for the past month. I don't know that I've logged in to anything in the past month. Most things just have my credential cookies or whatever stored that keep me logged in always. I definitely didn't sign up to anything new, either.

Offline Krudda

  • Member
  • Posts: 10304
  • 私は 日本語 が 上手 じゃ ありません
    • My Anime List
Re: Cloudflare bug
« Reply #16 on: March 22, 2017, 03:22:41 pm »
This was not a recent thing, its been happening for three years - only it happened in bulk recently.