Cloudfare service used by 5.5 million sites may have leaked passwords and auth.tokens

Status
Not open for further replies.
M

Mr.Shrugglesツ

Banned
Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords, and cookies and tokens used to authenticate users.

A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time, by making Web requests to affected websites, and to access some of the leaked data later by crafting queries on search engines.

"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."
...
Cloudflare researchers have identified 770 unique URIs that contained leaked memory and were cached by Google, Bing, Yahoo, or other search engines. The 770 unique URIs covered 161 unique domains. Thursday's disclosure came only after the leaked data was fully purged, with the help of the search engines.
Click to expand...

https://arstechnica.com/security/20...-exposed-a-potpourri-of-secret-customer-data/

Blog Post from Cloudfare themselves:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

I came across this through a comment section, from Android police about Google Onhub and Wifi devices dying, and people all over the place being signed out of their google accounts (myself included).
Ruh Roh

-----

Vostro said:
Found this link on HN that lists the sites that are affected, No need to login:
https://github.com/pirate/sites-using-cloudflare

I suggest reset your password if you use any of those sites.
Click to expand...

D4Danger said:
comments from the Google engineer who found it

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
Click to expand...
Click to expand...

May or may not be related. (Note: this doesn't appear to be connected to Google's recent Login problems, just a coincidence so far)

Google Support Forum said:
We've gotten reports about some users being signed out of their accounts unexpectedly. We're investigating, but not to worry: there is no indication that this is connected to any phishing or account security threats.
Click to expand...

https://productforums.google.com/forum/?nomobile=true#!category-topic/gmail/Kfsx8YjqAS4
 
EDIT: Title should really be changed to state that this includes more than passwords and OAuth tokens, but personal information/private communications as well.

The original event log written by the guy who initially found the bug and followed up with Cloudflare is really worth a read:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

I'm really surprised this isn't getting more of a reaction. This is HUGE, especially given that there was nothing any Cloudflare-backed website could've done to prevent their customer's data from potentially leaking, apart from not using Cloudflare at all.

Not only is there still a ton of cached HTTP pages out there containing OAuth tokens, private messages (some have reported seeing PMs from Discord), personal information, etc., if an attacker found out about this during the period the bug was in affect (which was ~5 months), they could've seriously mined a LOT of private data from anyone interacting with a website using Cloudflare.

Cloudflare's really trying to downplay this, but anyone who understands what happened isn't buying it.

Hacker News comments are also worth a read for the curious:
https://news.ycombinator.com/item?id=13718752

tuxfool said:
It would be good to find a list of affected major websites.I have yet to find one.
Click to expand...
Any website using Cloudflare since last September is affected. Here's a list of major websites that use it:

https://stackshare.io/cloudflare/in-stacks
 
So glad we don't use Cloudflare at work right now. Just old school CDNs for static content only. I've always been uncomfortable with piping non-static data through a CDN and this just cements that.
 
My site uses Cloudfare. But I have no idea if I'm impacted by this (nor smart enough to understand what's going on). No communication from Cloudflare.
 
SapphiCine said:
This related to why Google has been having me log back in to everything?
Click to expand...
AFAIK, no. The only partnership Google has with Cloudflare is for GCP web service scaling, so I can't think of a reason for them to need to reset OAuth tokens because of this incident.
RSTEIN said:
My site uses Cloudfare. But I have no idea if I'm impacted by this (nor smart enough to understand what's going on). No communication from Cloudflare.
Click to expand...
This is a good read for you:
https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165
 
Unless I'm misunderstanding something, it seems as though even though it affected a TON of huge sites, the odds of the random bits of information being successfully connected to actually affect many end users seems incredibly low, right?

EDIT: I posted this before D4Danger's post below got added to the OP. Uh, holy shit. This is no bueno
 
comments from the Google engineer who found it

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
Click to expand...
 
tuxfool said:
It would be good to find a list of affected major websites.I have yet to find one.
Click to expand...
I found this warning on a discord channel I follow:

Sites vulnerable include:
Uber
Reddit
Yelp
Digital Ocean
OKCupid
RapGenius
Coinbase
Product Hunt
Udemy
Crunchyroll
FitBit
Hacker News
Zendesk
Discord
Github pages
Chocolatey

Vostro said:
Found this link on HN that lists the sites that are affected, No need to login:
https://github.com/pirate/sites-using-cloudflare

I suggest reset your password if you use any of those sites.
Click to expand...
Damn, that's worse than I thought. lol
 
People really should read through that Project Zero thread (linked in my post and by D4Danger above) to get the full scope of this.

Some hilarious things from that thread:

- The person who found the bug had to reach out on Twitter to get a hold of a Cloudflare security employee promptly
- Cloudflare's top-tier reward in their bug bounty program is a t-shirt
Vostro said:
Found this link on HN that lists the sites that are affected, No need to login:
https://github.com/pirate/sites-using-cloudflare

I suggest reset your password if you use any of those sites.
Click to expand...
This is a good link.
 
onadesertedisland said:
2 step authentication. Why this is not industry standard, I have no idea.
Click to expand...

While MFA would protect people whose passwords were leaked, there's still the matter that data (potentially sensitive, personally identifiable data) transmitted after an authenticated session was established, MFA or no MFA, was bled out by the cloudflare bug and cached on publicly accessible websites.
 
some clever folks have already found ways to go through Google's cache and pull information from a bunch of sites. You can find entire uber requests for example with geolocation, account information, timedate etc with a google search. This is probably what it's like to work at the NSA.

edit: apparently the chat app mentioned is Discord so there's that too.
 
Yup I freaked out when I got the alert on my phone to re enter my password. I logged in and created a new password and checked my two step verification ... I also got many requests for two step verification for my appleid... like someone got in but couldn't complete the process. Lucky for me I had two step on
 
razzmahtazz said:
Effing password managers!? Please dont be last pass! Please dont be last pass! Please dont be last pass!
Click to expand...

Lastpass doesn't seem to use Cloudflare.

On the big list I only noticed a couple sites I had accounts on, and they are pretty throwaway type things that don't really have a lot of information.
 
razzmahtazz said:
Effing password managers!? Please dont be last pass! Please dont be last pass! Please dont be last pass!
Click to expand...

Lastpass doing all encryption on the client side *should* prevent one's vault from ever being compromised, even if attackers got total access. It would still be very bad, mind you.
 
This is literally worst case scenario bad. It's not just that it could have gotten your pw or tokens, but like it got everything.

That Google Engineer post is like worst case scenario nuclear bomb like level.
 
I was about to go to bed when I checked GAF and saw this post.

I've spent the past hour pinging people about this. Ugh.
 
Spiral Insanity said:
Holy shit. Uber doesn't let you change your password. You have to log out and say 'I forgot my password' to get the option.
Click to expand...

stop and think about why they might do that for a second.

Vanillalite said:
This is literally worst case scenario bad. It's not just that it could have gotten your pw or tokens, but like it got everything.

That Google Engineer post is like worst case scenario nuclear bomb like level.
Click to expand...

the only good news is that what got out (so far) is completely scattered and random. worse news for cloudflare's customers than their customer's customers. fortunately.

you know, until we find out someone found out how to manipulate that intentionally. then, whoops.
 
would love a tool that scrubs your internet history for affected websites.
 
Diablos said:
Is this like the 9/11 of account hacking or what

Holy shit

gg cloudflare
Click to expand...

I don't have accounts on any of the sites listed so far. What are some of the other 1600+?
 
stump sock said:
you know, until we find out someone found out how to manipulate that intentionally. then, whoops.
Click to expand...
That's part of what makes this so awful- all an attacker had to do was find or host a page with invalid HTML that triggered this bug, and then just reload the page from different regions using AWS/GCP/etc. and they'd have tons of leaked data.

Cloudflare might be able to go dig through the past 5 months of user request logs to figure out if anyone did that, provided they stored and kept that information.
 
Status
Not open for further replies.

Similar threads

RIP Max streaming service
2
71
881
ReBurn replied
10 billion passwords leaked in the largest compilation of all time
21
3K
Golgo 13 replied
Star Wars: Starfighter comes to theaters on May 28, 2027, directed by Shawn Levy and starring Ryan Gosling
2
63
3K
Lunarorbit replied
Notorious image board 4chan hacked and internal data leaked
News 
6
866
GudOlRub replied
Devil May Cry Netflix series gets a new song by Evanescence, "Afterlife"
News 
25
1K
Danteyke223 replied
Top Bottom