|
Cloudflare vulnerability
By Rooks 2017-02-24 08:04:35
Yesterday, a vulnerability in Cloudflare, a popular caching and proxy service, was revealed to have had a major vulnerability in leaking user session information, even over https. FFXIAH uses Cloudflare (as does bg-wiki I believe, but I could be wrong). The exact nature of what could be discovered with the vulnerability was fairly random, so any individual piece of data is likely safe; but as with anything along these lines, it is better to be safe than sorry, especially given how long this vulnerability was in the field.
Taviso's announcement: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Partial list of sites affected: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
More reading: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165
tl,dr: you should strongly consider changing your password, pretty much everywhere
Valefor.Sehachan
サーバ: Valefor
Game: FFXI
Posts: 24219
By Valefor.Sehachan 2017-02-24 17:36:15
Think it's worth bumping.
[+]
Ragnarok.Hevans
サーバ: Ragnarok
Game: FFXI
Posts: 15273
By Ragnarok.Hevans 2017-02-24 18:02:29
my password here is password... you're saying i'm now vulnerable?
[+]
Fenrir.Celdwn
サーバ: Fenrir
Game: FFXI
Posts: 47
By Fenrir.Celdwn 2017-02-24 18:26:15
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.
By Jetackuu 2017-02-24 18:37:11
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.
No.
サーバ: Valefor
Game: FFXI
Posts: 19416
By Valefor.Prothescar 2017-02-24 18:53:03
I mean I guess if you make all your passwords the same and thus your XI password is the same as your XIAH/BG/Reddit/etc password..
Siren.Mosin
By Siren.Mosin 2017-02-24 19:02:23
Even a desperate russian teenager would give my identity back if it was stolen
[+]
サーバ: Phoenix
Game: FFXI
Posts: 2011
By Phoenix.Dabackpack 2017-02-24 19:09:31
Thanks for spreading the message. This is the biggest security vulnerability since Heartbleed (perhaps even worse), so please take it seriously everyone
[+]
サーバ: Phoenix
Game: FFXI
Posts: 2011
By Phoenix.Dabackpack 2017-02-24 19:10:03
Since day one, SE has warned about the unsafe nature of third party software and unauthorized websites. Isn't this really just that warning finally coming to fruition? But thanks for repeating the heads up from 2004.
this literally has nothing to do with ffxi
Bismarck.Patrik
サーバ: Bismarck
Game: FFXI
Posts: 1325
By Bismarck.Patrik 2017-02-24 19:15:18
Transferwise uses cloudflare... I use that to send money to US bank account. I hope someone hacks it and sends me money...
By Rooks 2017-02-24 20:01:07
Phoenix.Dabackpack said: »Thanks for spreading the message. This is the biggest security vulnerability since Heartbleed (perhaps even worse), so please take it seriously everyone
Yeah. FFXIAH's window of vulnerability is actually so small as to basically be non-existent - we don't use it for anything other than a glorified CDN for static assets. But this is widespread enough that I felt it merited a post.
By Sidiov 2017-02-24 22:51:38
Web needs more 2fa
Valefor.Sehachan
サーバ: Valefor
Game: FFXI
Posts: 24219
By Valefor.Sehachan 2017-02-25 12:19:09
If you're not sure if a website you use is affected you can use this useful tool: http://www.doesitusecloudflare.com/
By Jetackuu 2017-02-25 13:19:30
notsureifthatworkssowell.
Asura.Chiaia
VIP
サーバ: Asura
Game: FFXI
Posts: 1652
By Asura.Chiaia 2017-02-25 13:41:38
(as does bg-wiki I believe, but I could be wrong) We do! The server admin has already contacted Cloudflare neither bg forums nor bgwiki were hit.
Official post by him here.
Edit: I'd still recommend changing your password if you were using the same one on another site. Won't get into why that is already a horrible idea to start with though.
[+]
サーバ: Excalibur
Game: FFXIV
Posts: 3176
By Nadleeh Sakurai 2017-02-25 15:18:32
oh noes. my msp pixels!
all seriousness, thanks for the warning
By Rooks 2017-02-25 15:48:59
notsureifthatworkssowell.
Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.
The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)
Lakshmi.Zerowone
サーバ: Lakshmi
Game: FFXI
Posts: 6949
By Lakshmi.Zerowone 2017-02-25 15:58:32
notsureifthatworkssowell.
Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.
The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)
Is there reason you're not outright saying sites/apps like TeamSpeak, Discord, Fedoraland (Reddit, though I think they changed their CDN before this), Uber etc. use it in some capacity?
Since chances are people on this site use those sites/services.
By Rooks 2017-02-25 16:05:57
notsureifthatworkssowell.
Nah, it works fine. Like I said, FFXIAH itself is not vulnerable in any real way - we only use it for the cdn servers (cdn.ffxipro.com), which aren't under ffxiah.com/ffxivpro.com to begin with. All login/forum/sales traffic is free and clear.
The only reason I posted at all is 1) it affects sites in our community and 2) it's big enough that it probably merited a post on its own, since not everyone follows computer security news ;)
Is there reason you're not outright saying TeamSpeak, Discord, Fedoraland (Reddit, though I think they changed there CDN before this), Uber use it in some capacity?
Since chances are people on this site use those sites/services.
I linked to a fairly complete list (and now there's a tool to check a site, that's handy). My concern with my Admin hat on is for this site (we're fine) and the sites we're closely aligned with (BG being the big one). But I guess I thought I had made the warning dire enough that people would investigate it a little more on their own and not need a full list from me.
Yesterday, a vulnerability in Cloudflare, a popular caching and proxy service, was revealed to have had a major vulnerability in leaking user session information, even over https. FFXIAH uses Cloudflare (as does bg-wiki I believe, but I could be wrong). The exact nature of what could be discovered with the vulnerability was fairly random, so any individual piece of data is likely safe; but as with anything along these lines, it is better to be safe than sorry, especially given how long this vulnerability was in the field.
Taviso's announcement: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Partial list of sites affected: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
More reading: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165
tl,dr: you should strongly consider changing your password, pretty much everywhere
|
|