Jump to content

Phoenixed Forums May Have Been Affected by Cloudbleed


Recommended Posts

A security researcher at Google, Tavis Ormandy, discovered last week that Cloudflare was inadvertently leaking private and sensitive data from sites they proxy.  Cloudflare fixed the problem (since nicknamed "Cloudbleed") last weekend and spent a lot of this week working with search engine partners to scrub what sensitive data leaked out from their search results.  The details were disclosed on Thursday (today as I write).


Cloudflare Reverse Proxies are Dumping Uninitialized Memory by Tavis Ormandy, Google.

Incident report on memory leak caused by Cloudflare parser bug by John Graham-Cumming, Cloudflare.

There is no evidence of this yet, but Phoenixed Forums was potentially affected.  It's improbable but still possible that Cloudbleed could have allowed someone with an interest to see sensitive information such as account passwords.

Therefore, you should consider changing your passwords earlier than you intended.

  • Like 7
Link to comment
Share on other sites

It appears that Cloudbleed was a very serious vulnerability inside the Cloudflare network, and the impact was severe and widespread enough that major news organizations like Reuters covered the story.

It doesn't yet look like anything malicious was done with the leaks, but it's also impossible to tell which of Cloudflare's millions of sites had private user data exposed.  The odds of us being affected are very low, by way of being a very low-traffic website, but the consequences of being affected are just the same as big-name websites like Uber and Fitbit.

The only possible answers to whether a site using Cloudflare was affected or not are, "Yes, the site was definitely affected because data was found," or, "Maybe, because data wasn't found yet."  We're in the Maybe column right now.

You should change your passwords not just on Phoenixed Forums but on other websites you know use Cloudflare as well, especially if you use the same password on more than one site, or if you use a cloud-synced password manager that uses a site behind Cloudflare to synchronize your passwords.  If you've done so since Cloudflare disclosed the bug, then you should be OK.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...