Issue: PokéCommunity possibly affected by CloudFlare security memory leak

[Abnegation]

According to several sources, there has been recent security issue on CloudFlare which has potentially affected thousands of domains. This includes the Pokecommunity.com domain, as well as big sites such as Discord (in which the forum is affiliated with).

I recommend warning users about this, and suggest that they once again change their passwords on PokéCommunity, its Discord server as well as its Battle Server (as psim.us also uses CloudFlare). Unless you can be sure that the domains in question weren't affected (hard to prove).

ELI5: A memory management error in Cloudflare's reverse proxy code allows them to access uninitialised memory, which contains critical data like user passwords being sent over HTTPS. It's highly unlikely your information will be used/stolen, however it's better to be safe than sorry.

You can read more about the security bug below:
1) https://www.reddit.com/r/sysadmin/c...g_cloudflare_reverse/?st=izjqywza&sh=039931cf
2) https://github.com/pirate/sites-using-cloudflare (You can see pokecommunity.com listed under the "Full List" download of this webpage)
3) https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/


Alternaive suggestion:
If you're working on an app for PokéCommunity you guys should really consider implementing a 2 factor authentication segment of the application. vB 3.8.8 is a super old software and is likely to have many security exploits at this point. Not to mention that the variables of which are increased by the high number of user-created styles on the forum. Not trying to fear monger here, but there's a lot of members on PC; security is important.

2 Factor Authentication should also be considered as a standard option already (using text). There are many 2FA solutions for both symmetric and asymmetric options including OTP & PKI. These are offered by both free and paid middleware solutions. Using SMS may be the most secure option until there's an application available. Obviously, 2FA should be an optional security layer for all users (but highly recommended).

 

[Afterglow Ampharos]

Tsk, whenever I open "sorted_unique_cf.txt" within "full list.zip," the text file totally freezes and stops responding. So all I can access is the not-full list on the github webpage itself.

Thank you all the same, Seeker.

 

[Mewtwolover]

Tsk, whenever I open "sorted_unique_cf.txt" within "full list.zip," the text file totally freezes and stops responding.

Then you need to get better computer or at least more RAM.

vB 3.8.8 is a super old software and is likely to have many security exploits at this point..

*facepalm* To be exact, it's vB 3.8.9 but I must still wonder why it isn't kept up to date? That's almost 4 years old so it should be good time to upgrade it to the latest version which is 5.2.6.

 

[Auticorn]

I just got word from Rukario, you guys. There's nothing to worry about as far as PC goes.

Here's proof:


TheAdorbzOne - Today at 10:48 AM
STEVE. Doesn't PC use cloudflare?
PPN - Today at 12:48 PM
yes
TheAdorbzOne - Today at 12:55 PM
Did you see the recent thing about the leaks?
PPN - Today at 12:59 PM
it was html / session and related and didn't affect us
TheAdorbzOne - Today at 12:59 PM
Oh, good.

 

[Abnegation]

*facepalm* To be exact, it's vB 3.8.9 but I must still wonder why it isn't kept up to date? That's almost 4 years old so it should be good time to upgrade it to the latest version which is 5.2.6.

Did you really just facepalm that? Lol. The only real difference between .8 and .9 is that the latter supports PHP 5.5. vB 3.X.X is over a decade old and likely has security issues throughout. So it literally doesn't matter.

The main reasons it hasn't been updated include: all forum styles being lost (there's literally hundreds), many - if not all - plugins being rendered obsolete, blogging as you know it would be lost, databases have been restructured and probably won't play well with the vB upgrading system and many, many more reasons. Having been on the inside and outside of discussions involving changing forum software; there's a lot of things that would be lost in such an upgrade which don't necessarily make changing worthwhile.

Also, if PC were to go with new software; I daresay they'd steer away from using vBulletin.

I just got word from Rukario, you guys. There's nothing to worry about as far as PC goes.

Here's proof:


TheAdorbzOne - Today at 10:48 AM
STEVE. Doesn't PC use cloudflare?
PPN - Today at 12:48 PM
yes
TheAdorbzOne - Today at 12:55 PM
Did you see the recent thing about the leaks?
PPN - Today at 12:59 PM
it was html / session and related and didn't affect us
TheAdorbzOne - Today at 12:59 PM
Oh, good.

...I'm not sure that's correct.

 

[Klippy]

I asked him as well and he reiterated we are not affected. I've referred him to this thread though, but I'm sure Bebop will also take some time to inspect this.

 

[test_account]

I have tested the Cloudflare overrun issue and have determined it DOES NOT and DID NOT affect the community (most SSL sites using CF were not affected at all).

All is well, vB aside,

 

[Rukario]

And to just confirm that we (PC and all of the sites we use/manage on CF) were not affected I provide you this email:

Dear Cloudflare Partner:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your customers' domains have not been discovered to expose data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your customers' domains during this search, we will reach out to you and your customer directly and provide full details of what we have found.

To date, we have yet to find any instance of the bug or any exposed data being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don't hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO

 

[Mewtwolover]

Did you really just facepalm that? Lol. The only real difference between .8 and .9 is that the latter supports PHP 5.5. vB 3.X.X is over a decade old and likely has security issues throughout. So it literally doesn't matter.

I facepalmed because PC has neglected forum software updates so badly.

 

[Rukario]

you do realize that vB 4 and 5 versions are complete;y different software than 3.8 right.. ? different looks, runs differently, and has different feature sets,