Jump to content
Guest Tuxy Fluffyclaws

PSA: Cloudflare security issue

Recommended Posts

Guest Tuxy Fluffyclaws

Yesterday Cloudflare, which TruckersMP use for layer 7 protection, made a chilling incident report available. The issue was discovered by Tavis Ormandy from Google Project Zero, and was disclosed to Cloudflare, who mitigated the issue within 1 hour of the report.

They had a bug in their software which caused secret information to be exposed in HTTP reponses. The issue is so wide spread that in effect, it could potentially have exposed TruckersMP credentials, as well as other sites who use their services' information.

We're making this post as a quick heads-up and urge you to change passwords on your accounts, not just TruckersMP but any other site that use Cloudflare (ie. Discord). If you are a developer, or power user, roll your API keys as well.

ps. Just to make this explicitly clear: TruckersMP infrastructure has not been compromised, this applies to everyone who used Cloudflare, not just us.

FAQ

Q: But Cloudflare said only some sites where affected

A: That's true, only some sites leaked information, but there is no guarantee that the data leaked wasn't from us or someone else.

Q: Was any TruckersMP data leaked?

A: Not that we're aware of, but we operate with a better safe than sorry mentality.

Q: What is PSA?

A: Public Service Announcement we're not alone

Q: I'm running out of ideas for passwords!

A: We can suggest switching to a password manager like LastPass, 1Password, Dashlane, Keepass, KeepassX or Enpass

Title image by KacaKTV

View post on homepage

Share this post


Link to post
Share on other sites
Guest Azyer

Be sure to check out haveibeenpwned.com to make sure they havent been leaked and if they did, please change.

Share this post


Link to post
Share on other sites

Thank you for the quick notice.

 

It's good to see that TruckersMP take security seriously and inform there users of issues as soon as they are informed, even if they aren't directly linked with their services but could effect users within the community :) 

  • Upvote 1

Share this post


Link to post
Share on other sites
Guest Tuxy Fluffyclaws
18 minutes ago, Smalley said:

I'm running out of ideas for passwords :L 

Switch to a password manager like LastPass and have it make you a good long, strong password ;)

 

13 minutes ago, Ratcho said:

Thank you for the quick notice.

 

It's good to see that TruckersMP take security seriously and inform there users of issues as soon as they are informed, even if they aren't directly linked with their services but could effect users within the community :) 

Doing what I think is the best, since we where potentially affected by the issue, it just makes sense to me.

 

 

Also, updated the post with another Q related to Smalley's comment :P some links to various password managers.

Share this post


Link to post
Share on other sites
Guest Tuxy Fluffyclaws

Completely separate events @SuperSteve2345, this was on cloudflare and affected a lot more than just us, as I wrote in the blog post.

Share this post


Link to post
Share on other sites
5 hours ago, Sentinel_ said:

Even if the database were compromised, aren't the passwords stored in an encrypted format anyway?

This post is not about the database being compromised, because it wasn't.

 

It's about a company providing a service we utilize, and that all our traffic passes through, which had a security flaw occasionally causing more data than intended to be sent to users.

This flaw could happen on a few websites using their service, but the data that would be sent in addition could be from any costumer website.

 

However, to answer your question, yes, the passwords are salted and hashed before they are stored on our servers.

  • Upvote 1

Share this post


Link to post
Share on other sites

And this is why I hate cloud services. Who ever thought up the "bright" idea that storing information on a virtual server was smart? I wish Truckers had never used cloud services. This is so aggravating! I have to go around changing passwords now because you guys used cloud!!!!!

Share this post


Link to post
Share on other sites

@Ebins

 

Almost everyone these days uses CloudFare or virtual servers for their websites. It makes things a lot easier and quicker.

 

If you can think of a better service that doesn't involve any virtual server please suggest it but this is the way that the future is heading and there is nothing that can be done. The security of these severs is getting better and better as time goes on and eventually it will be almost impossible to get into one.

 

FYI, this is not our problem and there is nothing we could have done to stop the attack or even prevent it. It was all out of our control.

Share this post


Link to post
Share on other sites
Guest Tuxy Fluffyclaws
On 01/03/2017 at 5:16 PM, Ebins said:

And this is why I hate cloud services. Who ever thought up the "bright" idea that storing information on a virtual server was smart? I wish Truckers had never used cloud services. This is so aggravating! I have to go around changing passwords now because you guys used cloud!!!!!

You would have had to do it regardless, more services than us use Cloudflare and the likelihood of you and your credentials being exposed to their infrastructure is extremely high.

 

If we didn't use cloud services, we wouldn't have been able to do the kind of things we do today, it'd simply be too expensive to do and protect (we're seeing near constant attacks on our infrastructure, and CF helps us mitigate that, making our site and services quite stable).

 

Mind you, VMs are not to blame, Cloudflare uses dedicated hardware.

 

As a final note, going around changing passwords is something you should do regardless, pick this opportunity to pick your password manager of choice, and maybe even automate some of the chore that is password changing across hundreds of sites.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...