Cloudbleed Security Vulnerability

Welcome furry fans!

We're glad you stopped by. Go ahead and register for a free account to get the benefits of being a member, including:
  • Access to all of our posts and comments
  • Your own profile including an avatar, buddy lists, and other social networking features
  • The ability to participate in a community of over 9,000 furry fans!
Creating an account is easy. Register now!
8 replies [Last post]
Giza's picture
Offline
This user is a Board MemberThis user is a Staff Member
Joined: 2006-03-03 11:19:03 pm
Posts: 2939

Hello everyone,

Due to the Cloudbleed security vulnerability, we have logged all users out of the website.

When you log back in, we ask that you change your password--that can be done here.

While we do not have reason to believe that any specific accounts have been compromised at this time, we do want to minimize the chances of that becoming an issue.

Thanks!

-- Giza

 

 

 

3.916665
Average: 3.9 (24 votes)
Your rating: None

Pennsylvania Furry? Be sure to check out http://www.pa-furry.org/

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Lexa Wolf's picture
Offline
Joined: 2016-07-09 07:57:26 pm
Posts: 90

Thanks for the heads up. I just changed my password.

5
Average: 5 (1 vote)
Your rating: None
Pegasus's picture
Offline
Joined: 2012-02-17 12:49:07 am
Posts: 24

Holy Crap, how could I have missed that advisory :ooh:

What a nasty bug, thanks a lot for making us aware. Guess I will spend the rest of the night changing all my passwords.  :irk:

5
Average: 5 (1 vote)
Your rating: None
TheBlueWizard's picture
Offline
Joined: 2011-07-02 06:51:30 pm
Posts: 54

I just changed my password too. But I see two technical problems with this website: one, I don't see a link to the password editing area from the "User Menu" section on the left column, despite the fact that the "My account" link is shown. Also, in the password changing area, it should ask for old password as well as for the new password just to add a layer of security in my opinion.

I'm sure those can be easily fixed. Thanks!

 

0
No votes yet
Your rating: None
charlieg's picture
Offline
This user is a Contributor
Joined: 2007-05-13 04:09:41 pm
Posts: 2709

When you click on MY ACCOUNT, there's an EDIT option next to most options.  If you click on that, you will see tabs where you can change almost everything, including your password.

0
No votes yet
Your rating: None

To avoid problems with parents, read this before you talk to them about furry:  http://www.anthrocon.org/node/25587/age-questions-how-talk-parents-general-other-things

Giza's picture
Offline
This user is a Board MemberThis user is a Staff Member
Joined: 2006-03-03 11:19:03 pm
Posts: 2939

Yeah, Drupal's being weird about that, and I haven't been able to get to the root of the problem unfortunately. (that's one reason why I included the link in my post)

 

0
No votes yet
Your rating: None

Pennsylvania Furry? Be sure to check out http://www.pa-furry.org/

Ron Bauerle's picture
Offline
This user is a Contributor
Joined: 2006-12-20 10:28:35 am
Posts: 1353

I didn't know a buffer overrun would/could result in storing data "on a completely different website" - ??? I thought it just let the hackers get access to the original website...

0
No votes yet
Your rating: None
Giza's picture
Offline
This user is a Board MemberThis user is a Staff Member
Joined: 2006-03-03 11:19:03 pm
Posts: 2939

CloudFlare's platform proxies HTTP requests for many (millions?) of different websites.  As such, one of their daemons which proxies traffic for any given website in one request, can proxy traffic for an entirely different website in the next request.

 

0
No votes yet
Your rating: None

Pennsylvania Furry? Be sure to check out http://www.pa-furry.org/

Aushi's picture
Offline
Joined: 2017-01-11 03:25:41 pm
Posts: 3

The buffer overrun returned data to clients other than intended-- some of those clients were search engine spiders, which cached the data. Most of that data also had common meta identifiers in the dumps, so it was pretty easy to find until the search engines started purging it. 

So you had effectively millions of passwords, auth tokens, encryption keys, etc, etc in plaintext on Google. This was, as bad things go in the security world, astoundingly bad. 

0
No votes yet
Your rating: None

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.