that apparently could do with Google changing something with 2FA on their end yesterday. Not sure though.
This really should not be ruining your weekend. It is a configuration induced security vulnerability, not a hack. There is no evidence anyone exploited it, and while the scope has the potential to be quite large, we know very little about whose information has been exposed, and what of that information is available. This is not like a site-wide hack where the best thing to do is immediately move to reset your password. That Github list strikes me as totally irresponsible, just listing any site that used Cloudflare, with no details about whether it used the affected features, what kind of session data was being sent on the site, etc. If it makes you feel more comfortable, update a password, but I think the vast majority of people could stand to wait for a few days, find out the scope and recommendations that come as a result, and then acting in due time.
YO! Nick Sullivan @grittygrease Cryptography in Theory and Security in Practice Head of Crypto at Cloudflare for Cloudflare made a blog post about it all
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Goog has multiple version of 2FA, which one did they change?
Could have to do with this change:
https://www.engadget.com/2017/02/23/google-phone-prompt-two-step-update/
https://gsuiteupdates.googleblog.com/2017/02/improved-phone-prompts-for-2-step.html
As of now it's just correlation, not proof that this is the cause.
Cloudflare disclosed today that they have fixed a bug reported by Google's Project Zero that was very rarely exposing sensitive information in random requests (0.00003% of all requests) since September 2016. There was no way to target specific information and the exposed information was random.
Dear Cloudflare Customer:
Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.
Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.
In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.
Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.
To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.
Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please dont hesitate to reach out.
Matthew Prince
Cloudflare, Inc.
Co-founder and CEO
So I saw Reddit listen a couple times on here but using the doesitusecloudfare link it does' appear to use that service.
So what's the deal there?
Just got the notification from Cloudflare too, although even though they may say your domain isn't affected, as far as I believe they've only checked it against third party data they had access to, so there is still a chance info has been leaked.
Will keep using them, as they are a great service.
It was removed from the GitHub site list at some point overnight, so I assume they confirmed it doesn't or at least was not impacted.
Ok but I thought it reported everything that even used the service in the first place. So was it just a case of the site reporting wrong or did Reddit just state they were unaffected?
The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
Google must have cleared their cached results that match queries for the Cloudbleed bug, as searching for it now yields mere dozens of results compared to the number it was before based on comments a couple days ago, and all the currently matching results lack cached versions.
Thursday's disclosure came only after the leaked data was fully purged, with the help of the search engines.
I see opencritic on the list.
Someone made a handy extension for Firefox & Chrome that checks your browser history against sites affected by the CloudFlare leak.
CloudBleed: check if you visited sites affected by CloudFlares security issue
Someone made a handy extension for Firefox & Chrome that checks your browser history against sites affected by the CloudFlare leak.
CloudBleed: check if you visited sites affected by CloudFlares security issue
This is actually much bigger than Yahoo's 16 billion of whatever accounts being hacked.
Cloudflare needs to be dragged out into the street for this. Large amounts of the entire planet are using Cloudflare services and were exposed.
It has a cool name and a logo - this must be serious! Since Heartbleed, bug branding has become a bit of a thing and more than anything, it points to the way vulnerabilities like these are represented by the press. It helps with headlines and I'm sure it does wonderful things for bug (brand?) recognition, but it also has a way of drumming up excitement and sensationalism in a way that isn't always commensurate with the actual risk.
That said, the Cloudflare bug is bad, but the question we need to be asking is "how bad"? I saw the news break yesterday morning my time and I've been following it closely since. As I've written a lot about Cloudflare in the past and been very supportive of their service, I've had a lot of questions from people. I want to share my take on it - both the good stuff and the bad stuff - and per the title above, I'm going to be very pragmatic about the whole thing.
Before I get started and if you haven't read it already, start with Project Zero's outline of the bug then move onto Cloudflare's detailed blog post on the issue (that's the chronological order they were written in). Do read the comment threads on both too, they each contain valuable background and insight. Right, assuming you now understand the background, let's jump into it.