Security News Cloudbleed : Cloudflare's buffer overflow leak.

D

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
centreofgravity said:
Hi Everyone Very important update.
Authy the most commonly used Google Authenticator alternative was also affected by the issue.
Their response - SECURITY NOTICE: AUTHY RESPONSE TO CLOUDFLARE CLOUDBLEED INCIDENT • Authy

Long story short you need to add all your accounts stored in Authy once again.
Why because its based on Time-based One Time Password(TOTP) type 2FA.
The tokens may have been compromised. I got the response re-confirmed from Authy Support.


For more details on how TOTP works read these blogs
Why You Should Never Use Google Authenticator Again
Cloudbleed Security Measures on TREZOR

0*nWGWoyFQ_SVN_KnZ.
Click to expand...


wow interesting.
maybe now I understand why nowdays people don't trust 2FA sms anymore and want those usb authenticators
that article would deserve a another thread
thank you for sharing
 
  • Like
Reactions: Der.Reisende, centreofgravity, BugCode and 3 others
S

soccer97

Level 11
Verified
May 22, 2014
517
Even a password manager's plain text was found to be "crawled" in some cases. There were several incidences of Gmail prompting a user to confirm that is was them (the review account activity alert on your android device) during that time period but Google says it was not related.

I think CloudFlare's initial public statement downplayed the risks.

It's tax filing season. Make sure to be extra vigilant.
 
  • Like
Reactions: Myriad
Myriad

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
If I am understanding this correctly , all of this mayhem has been caused by ONE incorrect character in ONE line of code :-

"==" should have been written as ">="

The result was a buffer overflow ( not handled and not flagged ) and stuff being written to who-knows-where.

Cloudflare say the error was in some old legacy code , but that is a feeble excuse IMO.

Just because that particular line of code has been gathering dust for a while does not make it any less of a blunder ,
or even a disaster maybe ( only time will tell , but I'm thinking not )

Looking on the positive side , this should be an encouragement to any folk who are taking their first steps with coding
.... if " professional coders " can make such a noob error , then it can happen to anyone !

.... hopefully with less drastic results :)
 
  • Like
Reactions: soccer97
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Canadian telecom company Telus investigating potential data breach
Replies
0
Views
561
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
oldschool
    • Like
    • +Reputation
    • Applause
Security Firms Aiding Ukraine During War Could Be Considered Participants in Conflict
Replies
3
Views
925
News Archive
Bumblebee Uncle
Bumblebee Uncle
oldschool
    • Like
    • Applause
    • +Reputation
The case for slowing down AI
Replies
5
Views
903
News Archive
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top