I actually got a better read from the admin of a discord server I'm in, so I'll post this here:

    There has been a major security flaw within Cloudflare and thus meaning within Discord. Its highly suggested that you cycle your passwords everywhere.

    Impact

    Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters.

    Data was cached by search engines, and may have been collected by random adversaries over the past few months.

    "The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day"

    What you should do

    Change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. Of the sites compromised, most notably there is Reddit, Uber, StackOverflow, Patreon, DigitalOcean, 4chan, and many many more.

    You can check which sites were affected by this on the readme of this github page https://github.com/pirate/sites-using-cloudflare

    I cannot stress this enough, please change your passwords everywhere as this affects everyone everywhere!

The article goes more in-depth on protocol and what this means.


lm:

This is yet ANOTHER memory safety bug. Hopefully more and more people will become convinced that we need to move away from C and C++ to languages that are memory safe by default, such as Rust.

(Of course, what I'd really like to see is more provably correct code, but the tools to do that are far from being accessible to normal humans right now.)


posted by kantos: 578 days ago