Handmade Network»Blog

Cloudbleed, or why we issued a site-wide password invalidation on 2017-02-24

Well, handmade developers, it's been an interesting day so far.
Cloudflare issued a warning that due to a memory leak in one of their html parsers, information could end up being leaked in the responses to completely unrelated requests.

TL;DR: Cloudflare screwed up, Google noticed and told them, Cloudflare fixed it, people will be resetting passwords everywhere for days to come.

Long story short: If your site was behind Cloudflare, they may have leaked potentially sensitive information; that information may have ended up in Google's and other caches. This was regardless of whether or not your site used the vulnerable features that caused it to leak, because your traffic might have previously transited through the node in question, with some of your pages remaining in memory.

So while it looks like we weren't part of the subset of sites that triggered a leak, our traffic may still have gone through their proxies at an inopportune time…

Better to be safe than sorry, we decided to invalidate passwords for all members who hadn't changed their password today and add a little note to the login form.

And that's where we're at now, folks.

Should you request a password reset but not receive an email with a reset link in a reasonable time, it's possible you've signed up to the site using a different email address. In that case, please try using the alternate email address you might've used at the time.

This, as an aside, is another good reason to use a password vault such as KeePass. Other than safely storing strong passwords that are unique per site, it also allows you to store additional notes, like the email address you used to sign up with.

While it was already near the top of our technical roadmap, this incident underscored the usefulness of 2FA (two factor authentication). It's a feature we're hoping to bring to you next month.

We apologise for the added inconvenience our response to this incident may have caused, but we felt it was necessary to act swiftly and decisively in the interest of our member base at large.

To forgo even more added inconvenience we won't be sending out mass emails telling people to change their password. Those who visit the site regularly will find themselves needing to use the password reset to be able to log in, and those who visit more infrequently, well… their old passwords will no longer work, so their accounts will be safe from abuse until their return.

We're of the opinion you'll be receiving enough solicitations to change your password from other sites over the next couple of days, and because the security of your accounts aren't affected, we feel no need to add to your burden until you desire to log in again.

Should there be interesting developments, we'll update this blog post.

- Jeroen on behalf of the staff.
James, Edited by James on
For anyone that is interested in taking a proactive stance w.r.t. changing their passwords.

There has been a community effort to compile a list of all known sites that sit behind CloudFlare infrastructure.

https://github.com/pirate/sites-using-cloudflare

The chances are, if you haven't been on a given site in a long time (I believe CloudFlare identified that the earliest possible time data could have been leaked through this bug was September 2016), then you're probably ok. Personally, I dont like taking chances, and take a rather paranoid approach to usernames/passwords (many throwaway emails).

I can definitely second the use of something like KeePass (I use it personally).
Jeremiah Goerdt,
Keepass is amazing. It works on pretty much every platform. I combine it with Syncthing to make sure I always have my vault on me.
I used Keepass for ages, but I recently switched to KeepassX which is essentially the same thing but it's open source. In my experience it hasn't been much better or worse but it's officially cross-platform.
Mārtiņš Možeiko,
Having password managers to generate unique passwords is good, but still doesn't protect you against this kind of leak.

What you (as users) should do is ask the websites you visit to implement 2FA and more importantly U2F. Depending on implementation 2FA can be relatively easy to attack, but U2F is currently the best option for security.
Jeroen van Rijn,
mmozeiko
Having password managers to generate unique passwords is good, but still doesn't protect you against this kind of leak.

What you (as users) should do is ask the websites you visit to implement 2FA and more importantly U2F. Depending on implementation 2FA can be relatively easy to attack, but U2F is currently the best option for security.


Agreed. As far as HMN is concerned, we'll be implementing U2F with a TOTP fallback for those who don't have U2F capability. Sending a one-time code by email on a login request is better than nothing, but I'm not a fan.
Matt Mascarenhas,
What do you folks use for U2F? And are the keys any different anyway?
Mārtiņš Možeiko, Edited by Mārtiņš Možeiko on
YubiKey: https://www.yubico.com/products/yubikey-hardware/

I have one Neo and one Nano. I use it everywhere where it is possible - google, github, gitlab (doesn't work in HMN yet), Dropbox, etc... Neo is really nice because it works also with my Android using NFC, but Nano is very tiny, so it's very convenient to keep it plugged all the time while you are in front of it.

I plan also to use my YubiKey for LUKS FDE on my Arch: https://github.com/agherzan/yubikey-full-disk-encryption just need to find free time to do this.

What do you mean by different keys?
Matt Mascarenhas,
Cheers, Martins. The Nano looks like it'll be the best fit for me because I don't have a device that could make use of the Neo's NFC authentication anyway.

By different keys I just meant are there any functional differences between the various models / manufacturers of U2F keys? Yubikey's product list alone shows that there are differences, though!
Mārtiņš Možeiko,

Right, there are implementation differences. But I don't think there will be any problems using it with any service. U2F is a standard: https://fidoalliance.org/download/ and anybody can implement it. It's not YubiKey specific, although they where the ones that pushed for this standard.