2017-02-24, 10:46 AM
As disclosed yesterday, Cloudflare reverse proxies - used by many websites for performance and security purposes including the MyBB Community Forums - have suffered from a memory leak vulnerability. This means that some sensitive information like account credentials and keys that have passed through the CDN's proxy servers may have been compromised by being randomly attached to HTTP responses.
The issue is related to changes to Cloudflare's HTML parser software deployed on September 22, 2016 (the earliest date any memory leak could have occurred) and its increased usage since February 13 (when the issue started affecting the majority of websites using Cloudflare). Google's Project Zero, a security research division focusing on popular products, have contacted Cloudflare on February 18 - at 0424 GMT a temporary fix has been applied globally.
According to Cloudflare, approximately 0.00003% of requests to the CDN's proxy servers included information originating from invalid regions of memory. As some of those have been cached by Google's and other search engines' robots, the companies have been cooperating to remove such entries from their indexes.
Although we have started encrypting connections to *.mybb.com both before and after the CDN inspects the traffic as early as August 2016, we believe the third party servers have been leaking data that was unencrypted at the time of inspection and therefore we advise all Community Forums users to change their passwords as soon as possible.
This vulnerability is related to all sites using the Cloudflare network and their users and administrators should take similar precautions.
Incident report on Cloudflare blog: https://blog.cloudflare.com/incident-rep...arser-bug/
Google's Project Zero issue history: https://bugs.chromium.org/p/project-zero...il?id=1139
The MyBB Team
The issue is related to changes to Cloudflare's HTML parser software deployed on September 22, 2016 (the earliest date any memory leak could have occurred) and its increased usage since February 13 (when the issue started affecting the majority of websites using Cloudflare). Google's Project Zero, a security research division focusing on popular products, have contacted Cloudflare on February 18 - at 0424 GMT a temporary fix has been applied globally.
According to Cloudflare, approximately 0.00003% of requests to the CDN's proxy servers included information originating from invalid regions of memory. As some of those have been cached by Google's and other search engines' robots, the companies have been cooperating to remove such entries from their indexes.
Although we have started encrypting connections to *.mybb.com both before and after the CDN inspects the traffic as early as August 2016, we believe the third party servers have been leaking data that was unencrypted at the time of inspection and therefore we advise all Community Forums users to change their passwords as soon as possible.
This vulnerability is related to all sites using the Cloudflare network and their users and administrators should take similar precautions.
Incident report on Cloudflare blog: https://blog.cloudflare.com/incident-rep...arser-bug/
Google's Project Zero issue history: https://bugs.chromium.org/p/project-zero...il?id=1139
The MyBB Team