- 10,673
- Posts
- 15
- Years
- Seen Dec 30, 2023
According to several sources, there has been recent security issue on CloudFlare which has potentially affected thousands of domains. This includes the Pokecommunity.com domain, as well as big sites such as Discord (in which the forum is affiliated with).
I recommend warning users about this, and suggest that they once again change their passwords on PokéCommunity, its Discord server as well as its Battle Server (as psim.us also uses CloudFlare). Unless you can be sure that the domains in question weren't affected (hard to prove).
ELI5: A memory management error in Cloudflare's reverse proxy code allows them to access uninitialised memory, which contains critical data like user passwords being sent over HTTPS. It's highly unlikely your information will be used/stolen, however it's better to be safe than sorry.
You can read more about the security bug below:
1) https://www.reddit.com/r/sysadmin/c...g_cloudflare_reverse/?st=izjqywza&sh=039931cf
2) https://github.com/pirate/sites-using-cloudflare (You can see pokecommunity.com listed under the "Full List" download of this webpage)
3) https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Alternaive suggestion:
If you're working on an app for PokéCommunity you guys should really consider implementing a 2 factor authentication segment of the application. vB 3.8.8 is a super old software and is likely to have many security exploits at this point. Not to mention that the variables of which are increased by the high number of user-created styles on the forum. Not trying to fear monger here, but there's a lot of members on PC; security is important.
2 Factor Authentication should also be considered as a standard option already (using text). There are many 2FA solutions for both symmetric and asymmetric options including OTP & PKI. These are offered by both free and paid middleware solutions. Using SMS may be the most secure option until there's an application available. Obviously, 2FA should be an optional security layer for all users (but highly recommended).
I recommend warning users about this, and suggest that they once again change their passwords on PokéCommunity, its Discord server as well as its Battle Server (as psim.us also uses CloudFlare). Unless you can be sure that the domains in question weren't affected (hard to prove).
ELI5: A memory management error in Cloudflare's reverse proxy code allows them to access uninitialised memory, which contains critical data like user passwords being sent over HTTPS. It's highly unlikely your information will be used/stolen, however it's better to be safe than sorry.
You can read more about the security bug below:
1) https://www.reddit.com/r/sysadmin/c...g_cloudflare_reverse/?st=izjqywza&sh=039931cf
2) https://github.com/pirate/sites-using-cloudflare (You can see pokecommunity.com listed under the "Full List" download of this webpage)
3) https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Alternaive suggestion:
If you're working on an app for PokéCommunity you guys should really consider implementing a 2 factor authentication segment of the application. vB 3.8.8 is a super old software and is likely to have many security exploits at this point. Not to mention that the variables of which are increased by the high number of user-created styles on the forum. Not trying to fear monger here, but there's a lot of members on PC; security is important.
2 Factor Authentication should also be considered as a standard option already (using text). There are many 2FA solutions for both symmetric and asymmetric options including OTP & PKI. These are offered by both free and paid middleware solutions. Using SMS may be the most secure option until there's an application available. Obviously, 2FA should be an optional security layer for all users (but highly recommended).
Last edited:
