• Update on weirdness

    Update on site issues: (1. replies now need a title *and* something in the message box, 2. certain links are causing strange pop-ups on Apple devices, and 3. Some folks can't type anything into the text box.) Basically, a series of unfortunate events set us back on testing. We'll get to it as soon as we can, and hopefully things can get fixed by this weekend if not before.  More info: https://jackpineradicals.com/boards/topic/site-problems-more-info/

Computers and Technology

Home Computers and Technology

Serious Cloudflare bug exposed a potpourri of secret customer data

  • LiberalArkie (3899 posts)
    Profile photo of LiberalArkie Donor

    Serious Cloudflare bug exposed a potpourri of secret customer data

    Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users.

    A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time by making Web requests to affected websites and to access some of the leaked data later by crafting queries on search engines.

    “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. “We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

    The leakage was the result of a bug in an HTML parser chain Cloudflare uses to modify webpages as they pass through the service’s edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating e-mail addresses, and excluding parts of a page from malicious Web bots. When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side excludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.

     

    More

     

    https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/

    dEEDeeNL, NVBirdlady, Downwinder and 1 otherJohnny Rash like this

You must be logged in to reply to this topic.

  • Eggar (1990 posts)
    Profile photo of Eggar Donor

    1. aw man….

    that doesn’t bode well for our team. Thanks for disclosing this information LA!

  • HIP56948 (2303 posts)
    Profile photo of HIP56948 Donor

    2. We all knew this was coming (somewhere), in one way or the other.

    I don’t have much in the cloud, at least, I think not?

  • Enlightenment (871 posts)
    Profile photo of Enlightenment Donor

    3. A gamer friend sent me this link that lists

    sites that use Cloudflare (not just the affected proxy). The author indicates it is a work in progress and suggests that since Cloudflare probably won’t release a list, it would be wise just to change passwords.
    Worth browsing, at least.

    https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

     

    All political parties die at last of swallowing their own lies. - John Arbuthnot, 1637-1735
Share