Author Topic: CloudFlare Hosting is potentially on fire following what could be a huge data le  (Read 4064 times)

0 Members and 1 Guest are viewing this topic.

Offline Gilgondorin

  • Concealed Carry Pro
  • ****
  • Posts: 2877
  • .: Gear of War :.
    • View Profile

I'm linking to a Hacker News thread, because the Cloudflare coverage of this security incident is poor; they're downplaying it and using misleading wording. In tptacek's words: "This is approximately as bad as it ever gets. A significant number of companies probably need to compose customer notifications; it's, at this point, very difficult to rule out unauthorized disclosure of anything that traversed Cloudflare."

What has happened is this:

There was a bug in Cloudflare. As a result of the bug, their proxies have written arbitrary bits of memory that were completely unrelated to the request being served into those requests.

In other words, any request that triggered the bug a tiny fraction of a percent of total queries, but this doesn't really matter can have returned "secure" data from any Cloudflare site. This includes data such as passwords, cookies, and for that matter could include credit card numbers or SSNs. (I hope not! But if they were using CF...)

At a minimum, all current sessions to SV should be invalidated, thus invalidating any leaked cookies; everyone should be forced to re-login. It is far more likely for cookies to leak than passwords, since they're sent with every request.

Ideally, all users should be forced to change their passwords. But I'm not that optimistic, and this is admittedly a not-terribly-important forum. A banner suggesting it wouldn't be amiss, however.

...geez louise. And here I thought SHA-1 being officially broken would be the high point of the day.

Other readers:

Check any accounts you absolutely do not want to lose control over. If they use Cloudflare, then change your password immediately.

The crackers will be busy with this one for a while, but there's no sense in dawdling.

Q: How do I check if a given site uses Cloudflare?

A: Cloudflare's certificates always mention If the site uses Cloudflare, then the certificate shown to your browser will include it. (Unless this was changed in the last few hours.)

On Chrome you can check this by opening the debug console (ctrl-shift-j on windows (?), cmd-alt-j on mac) and clicking 'security', then 'view certificate'.

Q: I'm going to disable Cloudflare for my site right now...!

A: That's not a question. Also, don't be in such a hurry; the bug has already been fixed, though leaked data remains leaked. You have time.

Q: Surely it can't be that serious!

A: Let me quote one of the Google engineers working on this.

"The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

Q: What sites use CloudFlare anyway?

A: "Who doesn't" would almost make a shorter list... SV, obviously. Reddit. Hacker News. Tons of others... unfortunately there's no complete list, but a large fraction of the internet is affected.

Sites that don't? Well, your Google account is safe. Otherwise, check the certificate.