Welcome to Rise Forums

Join our fantastic community to connect with like-minded website owners, WordPress users, and online entrepreneurs.

Have You Reset Your Passwords Yet?

Discussion in 'Hosting & Domains' started by k06mars, Feb 26, 2017.

Thread Status:
Not open for further replies.
  1. Yet another security vulnerability found, this time in CloudFlare.

    https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

    Please note, while it was unlikely any of your details were leaked, if your site uses cloudflare, or you use a site that uses cloudflare, action needs to be taken -

    Website owners need to reset all users passwords.
    Website users need to reset their password (if the website owner hasn't already done so for them).
     
  2. And that's me emailing my host, see what they need to do. I think they are on cloudflare?
     
  3. Kevin Muldoon likes this.
  4. I got an email from them saying I wasn't affected. Did you guys receive the same thing?

    I haven't reset passwords for Rise Forums members yet. Do you think it is necessary even if they say my websites weren't compromised?

    It seems like this was a pretty bad exploit, but the article also notes that they fixed it within an hour so it sounds like they were at least on the ball with fixing it.
     
  5. I've already changed my rise password so I don't care either way :D

    In general, when an exploit is announced, no matter how small of a window there was, assume your site/account was compromised as a result, and there's no direct harm in resetting a password.

    From an admin/business perspective, you certainly have to factor in the alliance factor (may lose user XYZ over the annoyance factor), but depending on your audience it may serve as more of a positive than a negative (users will feel safer worth how you store potentially sensitive information)

    Sent from my SAMSUNG-SM-G930A using Tapatalk
     
  6. Yes I agree.

    I'm looking at a discussion about this on XenForo.

    From the looks of it there does not appear to be an easy way to reset all passwords of users via the forum software. One member tried a few different plugins and none appear to be able to do this in bulk.

    https://xenforo.com/community/threads/cloudbleed-https-traffic-leak.126530/

    The owner of Digital Point is saying that nothing from the server side would have been exposed. What's your thoughts on this?

    In addition to running a huge forum, he develops a lot of good addons for XenForo too, so he obviously has some knowledge in this area.

    I still think it would be prudent to reset all passwords. I'll let you know what I find.

    On the topic of sensitive information, that is something I don't take lightly. It's one of the many reasons why I don't have private messaging active on Rise Forums (and due to spammers, con artists, trouble makers etc). It is also why I always ask members to email sensitive information and to never post it publicly on the forums.
     
  7. #7 k06mars, Mar 2, 2017
    Last edited: Mar 2, 2017
    While it's true only sites with crappy HTML would trigger the bug, it affected any site that was hosted (or reverse-proxied) on the same server. When you use cloud hosting, you're essentially going back to shared hosting - it may be on a massive scale, but it's shared server resources nonetheless. As a result, you are affected by a bug like this.

    In terms of what data would be leaked, it all depends on what data passes through cloudflare, in either direction - server to user or the other way around (such as login POST requests).
     
  8. Just to clarify, I'm not on cloud hosting or shared hosting. I have my own dedicated server and only my own websites are hosted on it. :)
     
  9. Right, but all server traffic (including login requests) does travel through the Cloudflare network, so you would potentially be affected by this bug.
     
    Kevin Muldoon likes this.
Thread Status:
Not open for further replies.

Share This Page