PSA: Change your (Bukkit) passwords to be safe, Heartbleed security hole

Discussion in 'Community News and Announcements' started by EvilSeph, Apr 11, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph Retired Staff

    Three days ago (April 8th, 2014) word broke of a critical vulnerability (code named "Heartbleed") within the popular cryptographic software, OpenSSL, that allows an attacker to read the memory of the host system. Roughly two thirds of the internet relies on OpenSSL to keep sensitive data secret and private, leaving many sites and services (including those provided by Bukkit) potentially open to data leakage.

    How did Bukkit respond?
    CloudFlare, a service we depend on for Content Distribution among other things for many of our sites, patched the hole before it became public knowledge and we patched the rest of our systems shortly after (although it did take slightly longer due to complications we experienced with some of them). Despite our relatively quick response to this issue, this security hole has existed in OpenSSL since December 31, 2011 (though it was only made known recently) so the impact of this vulnerability is unknown.

    What do we recommend you do?
    It's better to be safe than sorry in this case. Although we (and the services we use) responded quickly to patch this exploit, the vulnerability has existed for more than 2 years prior making it difficult to evaluate its impact. Couple this with the fact that the use of this exploit leaves no traces, we advise our community to reset all Bukkit related passwords as soon as possible.

    As for other sites, services or applications you use, you should be on the lookout for statements from their teams notifying you that Heartbleed has been patched or does not affect them before resetting your passwords and authentication information. If you use the same passwords for Bukkit as you do elsewhere (which you should not be doing), please change your passwords on those sites and services too.
     
  2. Thanks for the heads up!
     
  3. Offline

    Borlea

    Good thing this didn't last too long, But it should of lasted less
     
  4. If you've entered personal information on any site, I suggest keeping a lookout for anything unusual and change your password as soon as possible.

    Here's a list of known affected & unaffected sites: http://www.digitaltrends.com/comput...egedly-affected-by-the-heartbleed-bug/#!DHltx

    Another List: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt



    Also, this is directly from the OpenSSL team, which might be useful for some: https://www.openssl.org/news/secadv_20140407.txt

    Last too long? It lasted for over 2 years... if that's not too long, then I don't know what is. Do you know how much information could have been compromised in that length of time?
     
    KingFaris11 likes this.
  5. You can also check yourself if they are (still) affected here: http://filippo.io/Heartbleed/
     
    coaster3000 likes this.
  6. Offline

    ThaSourceGaming

    Okay thanks!
     
  7. Thank you for bringing this to our attention! I believe Mojang also made a similar post too regarding the bug. Just to be on the safe side, I updated all my passwords.
     
  8. It's good of you to let us know, but I honestly don't understand why a typical hacker would want a Bukkit account :/
     

  9. IANAL, but some people have expressed opinions that if you're in the UK you're likely breaking the Computer Misuse Act by testing websites that aren't yours for security vulnerabilities. I believe there's similar legislation in the US, too.

    Sadly the legislation (again, IANAL) doesn't usually distinguish intent.

    Some people (sigh) reuse passwords across multiple services. If that password gets compromised ANYWHERE then they're vulnerable EVERYWHERE, hence the advice not to reuse passwords - because if the service you're giving your password to is either malicious or compromised, you're now entirely unsafe, and you might not even realise until it's too late!
     
    drtshock likes this.
  10. Good point.
     
  11. Good to know, but you aren't testing it yourself. It's more like you ask the server to do that and send the result to you. I doubt clicking buttons on a website can get you jailed.
     

  12. http://www.wired.com/2013/03/att-hacker-gets-3-years/
    Yes, his case was thrown out, but it was thrown out on a technicality. :p Frightening implications are frightening. Also, that's basically the same argument as downloading a piece of software to do it and running that against a website.
    But that's not my point (or a lawyer's interpretation).

    The wording of the Computer Misuse Act is such that viewing information you're not authorised to see could be construed as a violation - therefore clicking the button and viewing the result on his site (which displays bits of the servers memory you're not authorised to access) could be a violation.

    Yay, stupid laws are stupid.
     
  13. I just hacked a website. Here's the sql dump:
    Code:
    +-----------+--------------+
    | username  | plaintextpw  |
    +-----------+--------------+
    | lukegb    | 123456       |
    | admin     | pen0r        |
    +-----------+--------------+
    now you go to jail cause you're viewing it! :D
     
  14. As if anyone will care about your password to your "horse fanciers social" or whatever community. What is worthwhile are email passwords for sending spam. So when your friends start saying they got spam from you, it means your password was stolen.

    Financial passwords are valuable, but since using them from a new computer frequently requires a validation process, that's not so much of a problem. Also, any decent financial institution doesn't use OpenSSL anyway.
     
Thread Status:
Not open for further replies.

Share This Page