lewisgoddard
commented
7 years ago @btkostner I don't have access to most of the application keys, but should be able to do the two infrastructure items. Are you okay to do the others?
Closed embik closed 7 years ago
lewisgoddard
commented
7 years ago @btkostner I don't have access to most of the application keys, but should be able to do the two infrastructure items. Are you okay to do the others?
btkostner
commented
7 years ago Yep. I've been talking to Dan about a good time to do this, as I dont have access to all of those accounts
btkostner
commented
7 years ago Thank you for bringing this to our attention @embik. At this time all API keys should be changed and deployed to our servers.
embik
commented
7 years ago No problem @btkostner - Most likely nothing even happened, but you never know. Better safe than sorry.
I'm not sure if it's really appropriate here, but recently Google's Project Zero has found a serious issue with Cloudflare. This blog post from Cloudflare has more information but IMHO doesn't really reflect on the impact of this.
Basically, most data passing through Cloudflare could have been exposed (see this comment on HN and the whole comment thread for further insight). I'm not 100% sure what data (api keys, secrets, etc) could have been leaked because I'm not familiar with elementary.io's code, however I felt like bringing this to your attention was necessary.
(This should also make you change your private passwords / keys with pages listed here, but that's another issue altogether).
Edit: The page list I linked right above also includes sites such as digitalocean, medium and namecheap. elementary's accounts for hosting and blogging should probably get a new password as well.
Edit by lewisgoddard:
Site-wise, these are listed in
_backend/config.example.phpThey are:
There are also infastructure providers: