Cloudfare serious vulnerability broke out, digital currency exchange Poloniex issued an emergency notice

Google security engineer Tavis Ormandy disclosed an information leakage vulnerability in Cloudfare, a US CDN service provider. In addition to affecting Uber, password management software 1password, sports bracelet company FitBit and many other companies, this leakage also involved digital currency trading platforms, including the famous foreign P network (Poloniex).

Some commentators said that the Cloudflare incident was the most serious information security leak in cloud services in recent years, and its impact may exceed that of the SHA-1 collision attack.

According to the latest announcement from P.com:

“Due to the widespread impact of the Cloudflare information disclosure vulnerability, we strongly recommend that all users immediately change their passwords and enable 2FA authentication. For more information, please visit https://twitter.com/poloniex.”

It is reported that Cloudfare's engineers made a fatal error in the code that caused a memory leak and leaked the user's HTTPS session for months. The Cloudflare incident may become the most serious information security leak in cloud services in recent years. The leaked information has been cached by various crawlers, and the cache may contain a large amount of plaintext username and password information.

Google engineers were able to discover this vulnerability because they found sensitive information in the contents of Google cache. It is currently reported that Google engineers have to work overtime on weekends to write tools to clean up sensitive information in Google cache data.

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is a security process where users must provide two pieces of identification before logging into their accounts. For two-factor security, one is your password and the other is a unique code generated by an authentication app installed on your smartphone. The two most popular authentication apps are Google Authenticator and Authy.

Here is a brief introduction on how to install and use Google Authenticator (using Apple devices as an example).

Require

To use Google Authenticator on your iPhone, iPod Touch, or iPad, you must have iOS 5.0 or later. Additionally, to set up the app on your iPhone using a QR code, you must have an iPhone 3G or later.

Download the app

1. Visit the App Store.

2. Search for Google Authenticator.

3. Download and install the app.

Set up the app

1. Complete SMS/Voice setup and register your account for 2-step verification using your mobile number if you haven't already done so. You can only add the Google Authenticator app after you've registered with your mobile number.

2. Visit the 2-step verification settings page from your computer and click iPhone.

3. Open the Google Authenticator app on your mobile device.

4. Tap the Plus icon.

5. Tap Time Based.

6. To link your mobile device to your account:Using a barcode: Click Scan barcode, then point your camera at the QR code that appears on your computer screen.Using manual entry: Click Manually enter verification code, then enter the email address you use for your Google Account. Then, enter the key that appears on your computer screen in the box next to Key, then click Done.

7. To test that the app is working properly, enter the verification code from your mobile device into the box next to "Verification Code" on your computer and click "Verify." You can use the clock icon on your mobile device to see how long you have until your current verification code expires and a new one is generated.

8. If the code is correct, you'll see a confirmation message. Click Save to confirm. If the code is incorrect, try generating a new code on your mobile device and entering it on your computer. If you're still having trouble, you may need to verify that the time on your device is correct or refer to the FAQ.