Forum issue? Getting logged into other peoples accounts at random

[Frankie Crisp]

What a fucking mess. I've deleted all my PMs now for the benefit of those I've shared messages with over the years - some of which had very personal information about me and others. PMs have now been disabled to mitigate future risk.

But a comment by @ReturnOfTheMackin Paid made me want to clarify that anyone who ever sent me their name and address for Secret Santa, your details were always immediately deleted once I logged them into an encrypted file offline (which in turn was deleted once all gifts had been confirmed as received). It's been that long since I did Secret Santa it didn't occur to put minds at rest, but your details were deleted within a few minutes of receiving them (both on here and the SS email account).

[SuperBacon]

27 minutes ago, chokeout said:

My PMS are full of requests to pop a hat on avatars and death threats from Bowler. Without context they'd probably be quite enjoyable but i'm gutted for anyone that's got personal info on there 

WAT U LYING FOR? YOU MADE ME MAD ECT

Sorry, was still logged in as Bowler...

[Chili]

My PM's are all just good eggs messaging to me to see how I was coping and offering job advice. It's rather lovely. I barely actually go into my own account beyond that now I've realised. 

[Loki]

Yeah, like @MonkeeI went to PMs when it was my name at the top and then saw someone else’s PMs.  Closed it immediately, no interest in other people’s affairs.

It’s a nasty security issue we’ve uncovered here though, as @Chest Rockwell says we must rely on people not being dicks and reading through others’ messages.  

Looking back through my own there’s nothing there that’s worrying although I clearly started a big Best Film Scenes project about 15 years ago and never finished it 😂

[Guest]

Regarding @Chest Rockwell's announcement at the top of the site: have email addresses been exposed wholesale through a database breach, or only through the chance of someone individually viewing them while "signed in" as that member?

The latter's not great, obviously, but just to get a sense of scale on the issue.

[Chest Rockwell]

Moo has now updated the announcement with some proper technical detail. I don't think it's a cause for widespread panic but people deserve to be informed and react however they feel is appropriate.

[Moo]

8 minutes ago, Uncle Zeb said:

Regarding @Chest Rockwell's announcement at the top of the site: have email addresses been exposed wholesale through a database breach, or only through the chance of someone individually viewing them while "signed in" as that member?

The latter's not great, obviously, but just to get a sense of scale on the issue.

It wasn't a "database leak" but a caching issue. So the impact is limited to whatever you might have browsed on the forum during the time periods mentioned in the announcement at the top - I updated it to clarify the impact and the timescales.

[FLips]

2 minutes ago, Moo said:

It wasn't a "database leak" but a caching issue. So the impact is limited to whatever you might have browsed on the forum during the time periods mentioned in the announcement at the top - I updated it to clarify the impact and the timescales.

I don’t think this is entirely accurate as I don’t recall going into my PMs at all but someone has been through them.

[Moo]

4 minutes ago, FelatioLips said:

I don’t think this is entirely accurate as I don’t recall going into my PMs at all but someone has been through them.

The way the cache works is it will only cache something if you requested it. If you browsed a particular page during the time period, there's a risk your version of that topic/post/forum would be cached and served to some others (until it was fixed & purged this morning), and the same would extend to your personal pages like the profile or messenger page. You could easily see one person logged in on one page and a different person on the next link you click - because it's essentially whichever version of a particular URL is cached first. To further complicate things, it also would be different depending on where you are requesting the page from as each location would have its own cache.

[SuperBacon]

10 minutes ago, Moo said:

The way the cache works is it will only cache something if you requested it. If you browsed a particular page during the time period, there's a risk your version of that topic/post/forum would be cached and served to some others (until it was fixed & purged this morning), and the same would extend to your personal pages like the profile or messenger page. You could easily see one person logged in on one page and a different person on the next link you click - because it's essentially whichever version of a particular URL is cached first. To further complicate things, it also would be different depending on where you are requesting the page from as each location would have its own cache.

I understand none of this, but appreciate you taking the time to talk through it.

[Mr_Danger]

Some lucky bastards might have gotten the inside scoops on the Hicks and Gillett saga that Hitman Numbers used to randomly send me. 

[stumobir]

Just in case….I swear all those pics of Purple Aki had a point 👀

[air_raid]

I'm glad nobody seems to have posted pretending to be me. To be fair, you all would of spotted an imposter a mile away.

[PunkStep]

7 minutes ago, Mr_Danger said:

Some lucky bastards might have gotten the inside scoops on the Hicks and Gillett saga that Hitman Numbers used to randomly send me. 

He'd message me out of the blue talking about Liverpool's hopes for the coming season, for some reason. 

[Moo]

8 minutes ago, SuperBacon said:

I understand none of this, but appreciate you taking the time to talk through it.

So a request to a website with a CDN cache (like we have) works like this:

Your browser > Content Delivery Network (CDN) Cache > ukff.com server

If the URL is in the cache, then the content is returned without talking to our server, like this:

Your browser > Content Delivery Network (CDN) Cache

A typical CDN has maybe 100+ different caches around the world. If we assume most UKFF visitors are from the UK (logical!?) then there's maybe 3-4 different cache locations people typically would be routed to. Under normal circumstances, logged-in content would not be cached at all - and traffic would skip the cache and be delivered *only* to you.

However, during the time period of ~1300 yesterday to ~0930 today the CDN was caching too aggressively. What that means is if you were the first person to hit http://ukff.com/some/url in lets say the London location yesterday when the issue started, the version of http://ukff.com/some/url that you saw would go into the cache. If I came along after that and requested the same http://ukff.com/some/url URL, I might see your version of the page. So individual logins weren't compromised or leaked, but you might have seen the HTML that was destined for me because my version got cached before you. It's an important distinction between that and a database leak which is where someone gets the entire database of all users and content, forever. That is not what happened. The tricky part is it's really hard to be certain exactly what pages were cached and from which accounts... but suffice to say if you did not visit ukff.com while logged in during the time period, your pages will absolutely not have been put into the cache at all and therefore nobody else could have seen them.

The fix was to remove the caching configuration and purge the cache completely, which is what happened at ~0930 today. At that point, all cached pages were removed.