• Changing your password is probably necessary and urgent
    38 replies, posted
Due to a now-fixed bug in their software, Cloudflare has been leaking small amounts of sensitive HTTPS session data since September of 2016. This may include website passwords and authentication keys, password manager data, chat messages, and more. While most of you guys may be safe, there's a slim chance you aren't. Today, Cloudflare released an [URL="https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/"]article[/URL] regarding a parser bug that supposedly leaked valuable information; their edge server running past the end a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and a bunch of other valuable data. Most -- or some of that value have been turned up in search engines; (googles, yahoo, etc...) What this means, that because these values are turned up in most search engines (0.00003%) you may be compromised. Here's an unofficial [URL="https://github.com/pirate/sites-using-cloudflare"]list of websites[/URL] affected (this list is not comprehensive, and is still being updated). You should probably change your passwords on those sites, revoke any login or API keys and "trusted devices", and purge login sessions if possible. Don't panic, just change your passwords to be on the safe side. Here's a whole bunch of information for geeks. [U][URL="https://bugs.chromium.org/p/project-zero/issues/detail?id=1139"]Original Vulnerability Report[/URL][/U] [U][URL="https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/"]Response from Cloudfire (listed above)[/URL][/U] List of affected sites, here. [URL="https://github.com/pirate/sites-using-cloudflare/blob/master/sorted_unique.zip"](DIRECT DOWNLOAD)[/URL] Facepunch is affected. [U]Notable sites[/U] facepunch.com authy.com coinbase.com betterment.com transferwise.com prosper.com digitalocean.com patreon.com bitpay.com news.ycombinator.com producthunt.com stackoverflow.com medium.com reddit.com 4chan.org yelp.com okcupid.com zendesk.com uber.com namecheap.com poloniex.com localbitcoins.com kraken.com fastmail.com (does not proxy TLS, probably safe from this attack)
Also in the list: gyazo.com discordapp.com proboards.com ashleyrnadison.com (note that's not an m :v:) gfy.com ashleymadison.com crunchyroll.com [B]humblebundle.com[/B] blockchain.info archive.is ziprecruiter.com penny-arcade.com gtaforums.com [B]nexusmods.com[/B] random.org pcgames.de dlink.com moveon.org rockpapershotgun.com bukkit.org somethingawful.com moddb.com thingiverse.com techdirt.com
So who is going to break the ice first and not ironically say: [quote]It's a good thing I use a password manager that generates 128 character long passwords every 27 hours using a random number seed derived from the isotope decay of Uranium-235![/quote] ...or say that you shouldn't be writing your passwords down because if someone broke into your house they might take that and lets be honest, if someone was breaking into your house I'm sure the will be more fixated on your other valuable shit they can discretely flip on craigslist for cash than something written on a piece of paper at the back of your sock drawer.
[QUOTE=pentium;51867212]So who is going to break the ice first and not ironically say: ...or say that you shouldn't be writing your passwords down because if someone broke into your house they might take that and lets be honest, if someone was breaking into your house I'm sure the will be more fixated on your other valuable shit they can discretely flip on craigslist for cash than something written on a piece of paper at the back of your sock drawer.[/QUOTE] Tbh I hate when people DO bitch about password managers... its like, no one is going to pretend that having a password manager makes you immune to leaks or account break ins, but its a lot safer than a lot of other things. When I write a password down though, or store it, I never keep the account name with it. that way if you do find it missing its literally impossible for them to just KNOW your account off the bat. but also I store it in a way that only a mental patient would.
If you don't want to use the same password everywhere but you can't remember everywhere, fucking write them down. Password managers are like putting your keys on a keychain. It puts them all together but if you lose the keychain you lose everything.
[QUOTE=pentium;51867230]If you don't want to use the same password everywhere but you can't remember everywhere, fucking write them down. Password managers are like putting your keys on a keychain. It puts them all together but if you lose the keychain you lose everything.[/QUOTE] Using the same password everywhere is like the first sign that you're doing something very wrong at least with a password manager the full pass to unlock is inside my head and head alone
fake pornhub websites are compromised too better change those while you're at it
I keep the password to my password manager on my phone, which has a password, and is encrypted. Not sure who'd go through all that trouble to steal a Runescape account and some university sites, but hey. Security. I wouldn't be dumb enough to put something important on there, like my credit card or bank password. Those are written down on post-it notes. Somewhere in my stack of post-it notes.
[QUOTE=J!NX;51867247]Using the same password everywhere is like the first sign that you're doing something very wrong at least with a password manager the full pass to unlock is inside my head and head alone[/QUOTE] Except we've already seen that password managers are equally not as watertight. That being so, it's a bad idea to be storing passwords on a service that remotely touches the internet.
[QUOTE=pentium;51867324]Except we've already seen that password managers are equally not as watertight. That being so, it's a bad idea to be storing passwords on a service that remotely touches the internet.[/QUOTE] Good thing I don't keep it connected to the internet directly then [editline]24th February 2017[/editline] I mean, ONLINE managers yeah that's a bit fucking silly, but I use an offline one.
I wasn't encouraging the use of the same password in multiple places and you damn well know that.
Here I was thinking Facepunch had been hacked again. Nevertheless, thank you for the heads up!
I wish I could just use a damn passphrase (with intentional typos) but no [i]god damn[/i] some websites must have their 16 character password limits!!
[QUOTE]nexusmods.com[/QUOTE] Three times in 6 months, are you f'in kidding
[QUOTE=27X;51867363]Three times in 6 months, are you f'in kidding[/QUOTE] At least it's not really their fault this time. :v:
my strategy is that i forget my passwords and thus have to reset them damn near every time i login
[QUOTE=pentium;51867332]I wasn't encouraging the use of the same password in multiple places and you damn well know that.[/QUOTE] I mean, I'm more referring to those who want to do it, as did you as well
ur bank accounts are also probably compromised i'd suggest everyone watch over ur statements for a little while...
Am I really gonna have to change my password for the 5th fucking time? I swear to god is only on FP that this sort of Bullshit happens.
Can anyone recommend a good password manager?
[QUOTE=Hezzy;51867484]Can anyone recommend a good password manager?[/QUOTE] I use KeePass, but not for any particular reason.
Jesus what a fucking mess
I'm so glad I was already phasing out my current FP password and have 2-step on just about everything Even if i am probably never gonna get affected by it, I'm prepared.
[QUOTE=SoftHearted;51867481]Am I really gonna have to change my password for the 5th fucking time? I swear to god is only on FP that this sort of Bullshit happens.[/QUOTE] if you want you could give me your passwords Mr. Cantreadtheop
ffsss we're potentially affected [quote]The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged. With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines.[/quote] i'd say that chances are good we're not affected
[QUOTE=Hezzy;51867484]Can anyone recommend a good password manager?[/QUOTE] Enpass. [QUOTE=LordCrypto;51867538]ffsss we're potentially affected i'd say that chances are good we're not affected[/QUOTE] Even if we arent, be safe and change your password.
I suggest LastPass, and the reason why is, [I]as long as your master password is not compromised[/I] or guessed, everything should be just fine. [URL="https://www.grc.com/sn/sn-256.htm"]An extensive (and very wordy, this is a transcript of a podcast) review[/URL] of LastPass's security features is covered in episode 256 of the [I]Security Now![/I] podcast by Steve Gibson, a security researcher and general nerd who, among other things, coined the term "spyware". TL;DR version: LastPass never submits your unencrypted stuff. Your password vault is encrypted on your machine and then sent to the LastPass servers. Your master password is hashed a bunch on your local machine, and [I]that hash[/I] is sent to the cloud server. When you log into the client in a separate session, the local client hashes your entered master password using the same process as account creation, and then it sends that hash to the server -- if that hash matches, you entered the right password, and your [I]encrypted[/I] password vault is sent from the LastPass cloud to your client, and decrypted on your side. Any changes are encrypted locally before synchronizing with the cloud. At any point in time, all LastPass has from you (not counting any payment info in case you decide to use their LP Premium service) is your email address, your master password's multiple-pass hash, and the blob of pseudorandom data that is your encrypted LP password vault. There is an offline client so you can use your vault without needing to be connected to the Internet. [URL="https://www.lastpass.com/how-it-works"]LP's own page declares that they use "AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes".[/URL] There's only one catch with LastPass: If you forget your master password, you're [U]fucked[/U] because they don't have it. There is now a way to generate a recovery password, but it's an option that needs to be enabled before you actually need the recovery button, and it only works on clients you've already signed into.
LastPass has been comprimised before. I don't trust it.
[QUOTE=josm;51867616]LastPass has been comprimised before. I don't trust it.[/QUOTE] They're also incredibly paranoid and jump and yell fire at the slightest thing, so "compromised" for LastPass isn't quite the same as "compromised" as in Yahoo and 500 million accounts and so on.
I'd still prefer to use enpass over lastpass but that's just me.
Sorry, you need to Log In to post a reply to this thread.