Cloudflare Vulnerability

Eorzea Time
 
 
 
Language: JP EN FR DE
users online
Forum » FFXIAH.com » News » Cloudflare vulnerability
Cloudflare vulnerability
Administrator
Offline
Posts: 6495
By Rooks 2017-02-24 08:04:35
Link | Quote | Reply
 
Yesterday, a vulnerability in Cloudflare, a popular caching and proxy service, was revealed to have had a major vulnerability in leaking user session information, even over https. FFXIAH uses Cloudflare (as does bg-wiki I believe, but I could be wrong). The exact nature of what could be discovered with the vulnerability was fairly random, so any individual piece of data is likely safe; but as with anything along these lines, it is better to be safe than sorry, especially given how long this vulnerability was in the field.

Taviso's announcement: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Partial list of sites affected: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
More reading: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165

tl,dr: you should strongly consider changing your password, pretty much everywhere
[+]
 Valefor.Sehachan
Guide Maker
Offline
Server: Valefor
Game: FFXI
user: Seha
Posts: 24219
By Valefor.Sehachan 2017-02-24 17:36:15
Link | Quote | Reply
 
Think it's worth bumping.
[+]
 Ragnarok.Hevans
Offline
Server: Ragnarok
Game: FFXI
user: Hev
Posts: 15273
By Ragnarok.Hevans 2017-02-24 18:02:29
Link | Quote | Reply
 
my password here is password... you're saying i'm now vulnerable?
[+]
 Fenrir.Celdwn
Offline
Server: Fenrir
Game: FFXI
user: celdwn
Posts: 47
By Fenrir.Celdwn 2017-02-24 18:26:15
Link | Quote | Reply
 
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.
Offline
Posts: 42635
By Jetackuu 2017-02-24 18:37:11
Link | Quote | Reply
 
Fenrir.Celdwn said: »
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.

No.
 Valefor.Prothescar
Guide Master
Offline
Server: Valefor
Game: FFXI
Posts: 19329
By Valefor.Prothescar 2017-02-24 18:53:03
Link | Quote | Reply
 
I mean I guess if you make all your passwords the same and thus your XI password is the same as your XIAH/BG/Reddit/etc password..
 Siren.Mosin
Offline
Server: Siren
Game: FFXI
user: BKiddo
By Siren.Mosin 2017-02-24 19:02:23
Link | Quote | Reply
 
Even a desperate russian teenager would give my identity back if it was stolen
[+]
 
Offline
Posts:
By 2017-02-24 19:09:00
 Undelete | Edit  | Link | Quote | Reply
 
Post deleted by User.
[+]
 Phoenix.Dabackpack
MSPaint Winner
Offline
Server: Phoenix
Game: FFXI
Posts: 2007
By Phoenix.Dabackpack 2017-02-24 19:09:31
Link | Quote | Reply
 
Thanks for spreading the message. This is the biggest security vulnerability since Heartbleed (perhaps even worse), so please take it seriously everyone
[+]
 Phoenix.Dabackpack
MSPaint Winner
Offline
Server: Phoenix
Game: FFXI
Posts: 2007
By Phoenix.Dabackpack 2017-02-24 19:10:03
Link | Quote | Reply
 
Fenrir.Celdwn said: »
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.

this literally has nothing to do with ffxi
 Bismarck.Patrik
Offline
Server: Bismarck
Game: FFXI
user: Patrik
Posts: 1325
By Bismarck.Patrik 2017-02-24 19:15:18
Link | Quote | Reply
 
Transferwise uses cloudflare... I use that to send money to US bank account. I hope someone hacks it and sends me money...
Administrator
Offline
Posts: 6495
By Rooks 2017-02-24 20:01:07
Link | Quote | Reply
 
Phoenix.Dabackpack said: »
Thanks for spreading the message. This is the biggest security vulnerability since Heartbleed (perhaps even worse), so please take it seriously everyone

Yeah. FFXIAH's window of vulnerability is actually so small as to basically be non-existent - we don't use it for anything other than a glorified CDN for static assets. But this is widespread enough that I felt it merited a post.
[+]
Offline
Posts: 346
By Sidiov 2017-02-24 22:51:38
Link | Quote | Reply
 
Web needs more 2fa
 Valefor.Sehachan
Guide Maker
Offline
Server: Valefor
Game: FFXI
user: Seha
Posts: 24219
By Valefor.Sehachan 2017-02-25 12:19:09
Link | Quote | Reply
 
If you're not sure if a website you use is affected you can use this useful tool: http://www.doesitusecloudflare.com/
Offline
Posts: 42635
By Jetackuu 2017-02-25 13:19:30
Link | Quote | Reply
 
Valefor.Sehachan said: »
If you're not sure if a website you use is affected you can use this useful tool: http://www.doesitusecloudflare.com/



notsureifthatworkssowell.
[+]
 Asura.Chiaia
VIP
Offline
Server: Asura
Game: FFXI
user: Demmis
Posts: 1652
By Asura.Chiaia 2017-02-25 13:41:38
Link | Quote | Reply
 
Rooks said: »
(as does bg-wiki I believe, but I could be wrong)
We do! The server admin has already contacted Cloudflare neither bg forums nor bgwiki were hit.

Official post by him here.

Edit: I'd still recommend changing your password if you were using the same one on another site. Won't get into why that is already a horrible idea to start with though.
 
Offline
Posts:
By 2017-02-25 14:05:25
 Undelete | Edit  | Link | Quote | Reply
 
Post deleted by User.
[+]
Offline
Server: Excalibur
Game: FFXIV
user: misacat
Posts: 3176
By Nadleeh Sakurai 2017-02-25 15:18:32
Link | Quote | Reply
 
oh noes. my msp pixels!



all seriousness, thanks for the warning
Administrator
Offline
Posts: 6495
By Rooks 2017-02-25 15:48:59
Link | Quote | Reply
 
Jetackuu said: »
notsureifthatworkssowell.

Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.

The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)
[+]
 Lakshmi.Zerowone
Offline
Server: Lakshmi
Game: FFXI
user: Zerowone
Posts: 6949
By Lakshmi.Zerowone 2017-02-25 15:58:32
Link | Quote | Reply
 
Rooks said: »
Jetackuu said: »
notsureifthatworkssowell.

Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.

The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)

Is there reason you're not outright saying sites/apps like TeamSpeak, Discord, Fedoraland (Reddit, though I think they changed their CDN before this), Uber etc. use it in some capacity?

Since chances are people on this site use those sites/services.
Administrator
Offline
Posts: 6495
By Rooks 2017-02-25 16:05:57
Link | Quote | Reply
 
Lakshmi.Zerowone said: »
Rooks said: »
Jetackuu said: »
notsureifthatworkssowell.

Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.

The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)

Is there reason you're not outright saying TeamSpeak, Discord, Fedoraland (Reddit, though I think they changed there CDN before this), Uber use it in some capacity?

Since chances are people on this site use those sites/services.

I linked to a fairly complete list (and now there's a tool to check a site, that's handy). My concern with my Admin hat on is for this site (we're fine) and the sites we're closely aligned with (BG being the big one). But I guess I thought I had made the warning dire enough that people would investigate it a little more on their own and not need a full list from me.