TL;DR: Bungie is using CloudFlare which is a service to cache/speed up pages. And it has a massive security leak. How is it affecting Bungie.net, the API, integrations, Xbox/Playstation integration and what not.
Longer version:
CloudFlare released a statement where a memory leak in their parsers could result in leaking private information. This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens).
I quickly checked the Bungie.net DNS servers to see if they were using cloudflare:
[quote]dig bungie.net NS
; <<>> DiG 9.8.3-P1 <<>> bungie.net NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64523
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;bungie.net. IN NS
;; ANSWER SECTION:
bungie.net. 86400 IN NS ben.ns.cloudflare.com.
bungie.net. 86400 IN NS lucy.ns.cloudflare.com.
;; Query time: 30 msec
;; SERVER: 192.168.192.1#53(192.168.192.1)
;; WHEN: Fri Feb 24 12:20:15 2017
;; MSG SIZE rcvd: 82[/quote]
Which appears to be the case. How does this security leak affect Bungie? Could we assume that all oAuth 2 accessTokens will be revoked and refreshed? Could oAuth handshake information be leaked between Playstation/xBox services and Bungie?
-
I know it's a little late, but [url=https://www.bungie.net/en/Clan/Post/39966/222645964/0/0]the web team were on top of this and invalidated all sessions[/url]. If you have authorised an application which uses the bungie.net API (Bungie.net Platform), you may wish to ask the author of the application if they regenerated their API keys.
-
So user passwords have been leaked? Should I change my password?
-
Very nice catch, i really hope bungue adresses this
-
You're a smart man. Change passwords people, and bumpitty.
-
bump again
-
no clue what any of this means but it sounds kinda serious so ill bump it and hope it becomes less of a... thing...