PayBase security has been rightfully called into question after a security issue was revealed and fixed during launch on 12/30 after a delay. There were widely corroborated reports of a possible security issue in the morning of 12/31. According to GAW’s public chat, the issue stemmed from the way CloudFlare handles cached data. CCN reached out to Joe Mordica, the CTO of GAWMiners, to find out exactly what happened and if there was any customer data compromised.
Also read: Josh Garza Speaks on PayBase Launch
GAWMiner’s Explanation of PayBase Security Issue
Could you tell CCN what happened?
Jmordica – Cloudflare caches assets related to sessions (logged in users). When users visit error pages (404, 500, etc..) those are just static assets, and we store user’s sessions in redis as well (for performance and industry standard reasons). So if a user were to visit one of these static asset pages (such as an error page) Cloudflare will cache the asset (that could include styling from a session). Some of these attributes include email address, XPY amount etc.. There were no data breaches though these were static pages in cache.
So this issue is similar to issues that other sites have had with CloudFlare in the past?
Jmordica – Exactly. I will finish explaining, but this is correct. If a user visits one of these static pages (error page etc..) Cloudflare will cache everything (possibly the users email or any other styling/HTML shown to the user). That means that since Cloudflare in unaware of user sessions (by design) they may show a previously cached version of static HTML/css to the next user that visits that same page. Then it causes the next user to see someone else’s email. Thankfully this is the magnitude of the issue, and the next user is unable to make changes to perform any tasks in this state. We modified the way Cloudflare caches these assets as well as implemented additional session checks on our end to prevent this from happening again.
So no customer accounts were breached, and everything is still secure?
Jmordica – No customer accounts were breached. No one lost any coins. You cannot access anything in this kind of glitch.
Reddit reports said data was accessible… yet what we saw from the screen shots, the most people saw were email addresses not personal account info. Is this correct?
Jmordica – No one was able to do anything in anyone else’s account (because they were not actually logged into someone else’s account). So correct no personal data was touched only the basics could be seen.
Can you tell us the actual time frame the security issue happened? Many users have stated that the issue was live for several hours.
Jmordica – Well customers were still logged into their own account, but since CloudFlare was presenting static assets (or what it thought was static assets). The customer then thought they were logged into someone else’s account (if that makes sense). It happened in the 20m window and from the time we learned about it till the time we had the application down. We then resolved the issue in 30m and had the application up and running again.
So while there was a glitch it was not a massive data leak or a breach. GAWMiners responded quickly to the error and cleared up the issue. We will keep an eye on what happens from here. The PayBase launch, like many launches for other companies, had its hiccups. PayCoin value has fluctuated heavily in the last 24 hrs as some people have sold in large quantities while others, including GAW and other larger investors, have purchased at lower rates.
We will keep an eye on how it all unfolds and being you the news. Stay tuned. It should be noted, Cloudflare has had issues over the last couple years yet they are protecting customer’s with robust features and support.
Images from Shutterstock.