Regarding CloudFlare memory leak and security

User avatar
Avatar of Vengeance
Avatar of Vengeance
Posts: 2711
Joined: Thu 1998.01.01, 00:00
Honor: 3094
Points: 2423439254.90
BDO: Blader
Cabal: BL
Vindictus: Lann
C9: Blade Dancer
Gender: Male
Karma: 神風
: Assassin Black Star Winged Devotion Dedication Heavy 1st 20 HR BDO JP Volunteer BDO KR Translator BDO JP Translator BDO RU Translator Black Spirit inside Black Spirit's Partner
Medals: 17

Regarding CloudFlare memory leak and security

Postby KAMIKADzE » Sun 2017.02.26, 09:13

Since I was asked if I'm aware about it, I thought that I might as well just post a statement regarding this CloudFlare issue (apparently it's now a big deal on the news outlets and I might get asked about it again, so I'll just forward those questions to this post).

First of all, if you're not aware, this forum uses some of the CloudFlare CDN services (it's mentioned in forum privacy policy).
I will not go deeply into details, but basically, due to 1 wrong character in their code, some of the CloudFlare servers leaked memory dumps with sensitive info (passwords, cookies and stuff) mainly to search engine bots, but possibly to some haxors as well. You can read more on that in the official CloudFlare blog post.

Basically our Forum was not affected by this issue, and it was fixed 2017.02.20 21:59, or at least that's what CloudFlare told me few hours before this info went public (so yes I'm aware of it). All of the detected leaked memory belonged to some other sites, but since CloudFlare internally decrypts TLS traffic from you before it's sent over TLS to the forum's server (You -TLS-> CloudFlare -TLS-> Forum) it was possible for CloudFlare to leak passwords or PMs, even though that they assured me that it didn't.
In any case even if the issue affected forum - the worst thing that could happen is a leak of your email address (unless you use the same password for everything). Unfortunately there's no way for me to check that, there were no problems between forum and CloudFlare.
Should you worry about it? Probably not (unless you use the same password for everything, in this case it could've leaked on some other site even if it didn't on this forum, especially if you use it on site without secure that case you're leaking it all the time =D ).
Should you change password? There's really no need for that, but it won't hurt you to change it from time to time anyway, so it's up to you. Even if someone will ever get handle of your acc on the forum (be it related to this issue or not) - you can easily get it back by contacting forum administration via support mail or contact us page, of course using your email (all email/password changes are logged, so the real problem can start only if someone will stole your old email used to register on this forum and then claim that someone stole his forum acc 8-) in that case it won't be if your forum acc will be ever stolen - try to contact me asap, as in that case it will be easier to prove it).
Also in the future I might add 2FA. I doubt that I'll ever try to develop that myself, but I'm following the development of such "addon" by 3rd party, and once(if) it will be finished and polished I will add it (that will be definitely mentioned in the news section, and it won't be mandatory for non-staff members of the forum).

Hopefully that answered all of your questions related to this issue + some general security reminder. If you'll have any other questions related to this issue - feel free to ask them in this thread (or in PM if they have something that shouldn't be publicly available).

Return to “News&Changes”

Who is online

Users browsing this forum: No registered users and 1 guest