You may have read recently about a problem with the internet – there’s a hole in it.

There’s good technical info here and there’s a story on the BBC new website here

In very basic terms that I’ve no doubt may be beneath many of you, but not all, it means that a staggering number of websites that thought they were secure for the last few years have found out, through no fault of their own, that they are not.

At the core of the issue is a bug in a file that is common on most servers that could allow access by a third party to sensitive information stored on those servers. This has all come to light in the past few days.

Singletrack was vulnerable to this bug along with millions of other websites. The vulnerability on our servers has already been fixed.

However, no affected websites have any way of detecting if this bug has been exploited in the past. So, what do we all do now?

Change your passwords! Do it now. http://singletrackworld.com/wp-login.php?action=lostpassword

We recommend that you change your passwords, not only for Singletrack but all websites that you have accounts with, on a regular basis. We’ve all heard that advice before but it’s never been more important to heed it than now.

If you have questions then feel free to ask them here. If you are a techie and have answers to those questions then feel free to chip in. There’s already a good thread running at the moment here that has some excellent info and tips.

have done now thanks for warning 🙂

Blimey.. I got referenced in a sticky.!! 🙂

Coincidentally there is another good thread running about the best way to remember lots of secure passwords.

Link from password reset e-mail not working for me, what now?

Panic hysterically, as in a major freak out.

Or just do a reset again (I had the same problem but worked 2nd time)

In what way isn’t it working?

it takes you back to the home page and then you have to submit your current password and then it emails you the same link again and then that works

I’ve pinged an email, ta.

I took it was meant to work that way for security reasons.

The singletrack SSL cert was issued in september last year, if the private key has been compromised changing the passwords now won’t help, an attacker could still decrpyt the traffic including the new password…

A ‘staggering’ amount of websites? Most servers? Really? Are you sure. This only affects ONE SSL product, of which there are many. Perhaps, of more concern is that ST doesn’t seem to use any form of secure connection at all. I certainly can’t see any evidence that it does.

The SSL certificate has been renewed. The date of the certificate is the original date and as previously stated that date is not an indication that the certificate has not been renewed. Ours has. But the date of issue is still the original issue date.

As I understand it,

The problem isn’t the certificate per sé, it’s that the private key might be compromised.

Issue dates aside, if the server cert has been renewed using the same private key then it resolves nothing, the risk will persist. If the existing cert is rey-keyed however then the original certificate will be effectively revoked and reissued, which will fix the problem.

I assume ST Towers has done the latter, but I have no means of verifying this. (-:

Yes, the latter – rekeyed, revoked, reissued. The key is new. I’ll show you the old one one day 🙂 The new key tackles the threat of decryption of future SSL traffic. If someone had exploited this bug in the past, and been lucky enough to capture our old private key, they may have been able to spoof our site and decrypt SSL traffic to it until a couple of days ago, if they could have intercepted traffic to it and been bothered. I have seen no sign of it happening, but it is no longer an increased risk.

I only use this username on cycling websites. It’s not linked to anything financial or any mobile phone, facebook, google, twitter etc. If I don’t change my password, what’s the worst that can happen?

I only use this username on cycling websites. It’s not linked to anything financial or any mobile phone, facebook, google, twitter etc. If I don’t change my password, what’s the worst that can happen?

Nothing really. Impersonation as you on STW, and trolling 29er threads? 🙂

A ‘staggering’ amount of websites? Most servers? Really? Are you sure.

About 60% of the internetz use OpenSSL. That’s certainly within my definition of ‘staggering’.

Tried several times to reset my password on here, just not working. The link keeps flipping me out.

Done.

It’s a +1 for this as well I’m afraid

Tried several times to reset my password on here, just not working. The link keeps flipping me out.

Help please Mods. Linky no worky. Just going round and round in circles. Tried 5 times now.

As Junkyard says above

it takes you back to the home page and then you have to submit your current password and then it emails you the same link again

Thanks

Yep, same problem for me on a Samsung tablet if that makes any difference.

Having problems here too. Emailed the mods but no response yet…. any ideas as it won’t send me the email link to change password … cheers

We’re looking into the password issue, which happens not every time but in particular circumstances.
I suggest:
a) ensure your email address is correct
b) check your spam folder for the email from us
c) log out and clear your stw cookies.
This link will log you out and clear your stw cookies:
http://singletrackworld.com/clearcookies.php

Users with an email address of invalid_email_address@stw – this indicates that the last one was removed for one reason or another.

When I get the reset email it refers to a username which isn’t mine – is there another user called rocket frog?

Still nothing…..

For tech issues you’re best emailing the tech team tech@singletrackworld.com as tech queries to mods can get drowned out by reports.

Cheers.