PSA: you should change your RPS password, just in case

Last night, content delivery network and security service Cloudflare reported that a security issue means that it's possible they accidentally leaked user passwords for websites that use their service. Since RPS is a user of Cloudflare in the operation of our servers, that means that to be on the safe side you should change your RPS website and forum password. We think it's highly unlikely that any user will be affected but it's better to be safe than sorry. There's more information on exactly what's happened below, along with details of how to change your password.

When you visit RPS in Chrome or Firefox, you don't actually talk to our servers, you talk to Cloudflare's. They cache and filter your request, and then pass it onto our servers. They have servers all over the world, which means a lot of the unchanging stuff about the website (images) comes from a server closer to you, rather than it having to cross the ocean to talk to our servers in the UK. Cloudflare helps keep the site fast in distant lands, as well as for providing extra security support.

Unfortunately a problem in Cloudflare's code basically meant that a request for a broken or badly built website could return data for another, including private information used to authenticate users. Cloudflare estimates it affected 1 in 3,000,000 requests, a tiny proportion, but on the flipside Cloudflare handles billions of requests every day. It's fairly technical, but you can read Cloudflare's incident report here. The short version is, a bug in one of their modules meant that a parser module could perform a buffer overflow, and leak data it wasn't supposed to from the server handing the request involved. The window for the breach was between the 22nd of September 2016 and Monday the 20th of February, when it was fixed.

This may affect you if you logged into RPS, or our forums, because either your password might have been leaked whilst it was being sent to us, or the hashed (encrypted) authentication token we use to 'remember' you're logged in may have been leaked. We deem this to be fairly unlikely, but it is a possibility. There's currently no evidence of public or en-masse exploitation of the bug and it's unlikely that anyone has actively exploited it, but through an overabundance of caution we recommend you reset the passwords you use on RPS. You can do that from within your profile page. Please make sure to use a unique password; sharing passwords across sites is dangerous!

While we're talking about passwords though, we strongly recommend everyone use a password manager, such as LastPass or Dashlane. That way, you can use an automatically generated string of gibberish as your password, activate two or three-step authentication for every site, and it's no cost to you to reset if it becomes necessary since the manager looks after remembering your passwords for you. Alternatively, use a short sentence of real words you can remember easily.

The issue was found by a security worker with Google's Project Zero, who try to find security problems as yet unknown or unpatched.

Sorry for the inconvenience caused.