Security News Cloudbleed : Cloudflare's buffer overflow leak.

centreofgravity said:
Hi Everyone Very important update.
Authy the most commonly used Google Authenticator alternative was also affected by the issue.
Their response - SECURITY NOTICE: AUTHY RESPONSE TO CLOUDFLARE CLOUDBLEED INCIDENT • Authy

Long story short you need to add all your accounts stored in Authy once again.
Why because its based on Time-based One Time Password(TOTP) type 2FA.
The tokens may have been compromised. I got the response re-confirmed from Authy Support.


For more details on how TOTP works read these blogs
Why You Should Never Use Google Authenticator Again
Cloudbleed Security Measures on TREZOR

0*nWGWoyFQ_SVN_KnZ.
Click to expand...


wow interesting.
maybe now I understand why nowdays people don't trust 2FA sms anymore and want those usb authenticators
that article would deserve a another thread
thank you for sharing
 
  • Like
Reactions: Der.Reisende, centreofgravity, BugCode and 3 others
Even a password manager's plain text was found to be "crawled" in some cases. There were several incidences of Gmail prompting a user to confirm that is was them (the review account activity alert on your android device) during that time period but Google says it was not related.

I think CloudFlare's initial public statement downplayed the risks.

It's tax filing season. Make sure to be extra vigilant.
 
  • Like
Reactions: Myriad
If I am understanding this correctly , all of this mayhem has been caused by ONE incorrect character in ONE line of code :-

"==" should have been written as ">="

The result was a buffer overflow ( not handled and not flagged ) and stuff being written to who-knows-where.

Cloudflare say the error was in some old legacy code , but that is a feeble excuse IMO.

Just because that particular line of code has been gathering dust for a while does not make it any less of a blunder ,
or even a disaster maybe ( only time will tell , but I'm thinking not )

Looking on the positive side , this should be an encouragement to any folk who are taking their first steps with coding
.... if " professional coders " can make such a noob error , then it can happen to anyone !

.... hopefully with less drastic results :)
 
  • Like
Reactions: soccer97
You must log in or register to reply here.

You may also like...