Cloudfare service used by 5.5 million sites may have leaked passwords and auth.tokens

Status
Not open for further replies.
The only one where I'm affected was humblebundle. Changed the PW obv but I don't know how much that will help with all the info leaked.
 
YO! Nick Sullivan @grittygrease Cryptography in Theory and Security in Practice • Head of Crypto at Cloudflare for Cloudflare made a blog post about it all
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

and the response
taviso@google.com, Today (10 hours ago)
Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers.

They've left it too late to negotiate on the content of the notification.

Let's hope that their notification in combination with the details from this issue will be adequate explanation of what happened. I think we're waiting for cached links to start expiring, and then we're publishing whether they're ready or not.


that apparently could do with Google changing something with 2FA on their end yesterday. Not sure though.

Goog has multiple version of 2FA, which one did they change?
 
This really should not be ruining your weekend. It is a configuration induced security vulnerability, not a hack. There is no evidence anyone exploited it, and while the scope has the potential to be quite large, we know very little about whose information has been exposed, and what of that information is available. This is not like a site-wide hack where the best thing to do is immediately move to reset your password. That Github list strikes me as totally irresponsible, just listing any site that used Cloudflare, with no details about whether it used the affected features, what kind of session data was being sent on the site, etc. If it makes you feel more comfortable, update a password, but I think the vast majority of people could stand to wait for a few days, find out the scope and recommendations that come as a result, and then acting in due time.

You saved me a lot of time. Gonna wait. I use a ton of sites and it would be a massive pain. Hopefully affected sites are smart enough to just reset it themselves.
 
YO! Nick Sullivan @grittygrease Cryptography in Theory and Security in Practice • Head of Crypto at Cloudflare for Cloudflare made a blog post about it all
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/



Goog has multiple version of 2FA, which one did they change?

Could have to do with this change:

https://www.engadget.com/2017/02/23/google-phone-prompt-two-step-update/

https://gsuiteupdates.googleblog.com/2017/02/improved-phone-prompts-for-2-step.html

As of now it's just correlation, not proof that this is the cause.
 
still for how many and large companies use their services their rewards program is laughable. they aren't a start up and the reward thing just seems cocky


ahh good, i even use that version of 2FA they are testing
 
So many people will get fucked because of this, I hope all the participating sites request a password change for their users.
 
Reportedly 150 sites have been identified as having information leaked into caches etc. Cloudflare supposedly has reached out to each of them. If you use cloudflare on our site and haven't heard from them specifically then they haven't - yet at least - tied any leaked information to your site.
 
Just got this email from cloudflare:

Dear Cloudflare Customer:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO

lol, I still don't know what's going on, but this is good I guess. I'm only on cloudlfare because I migrated from GoDaddy to WPEngine and WPEngine said to use it. My site really started to get a lot of visitors and slowed to a crawl on GoDaddy. WPEngine is like 1,000x faster, couldn't be happier. But not happy about this!
 
So I saw Reddit listen a couple times on here but using the doesitusecloudfare link it does' appear to use that service.

So what's the deal there?
 
Oh shit, I thought I was in the clear but Penny Arcade uses this service?

It's been several years since I logged in that site, but brb going to change a fuck ton of passwords just to be safe
 
So I saw Reddit listen a couple times on here but using the doesitusecloudfare link it does' appear to use that service.

So what's the deal there?

It was removed from the GitHub site list at some point overnight, so I assume they confirmed it doesn't or at least was not impacted.
 
Just got the notification from Cloudflare too, although even though they may say your domain isn't affected, as far as I believe they've only checked it against third party data they had access to, so there is still a chance info has been leaked. But I haven't heard of it being actively exploited before it was disclosed.

Will keep using them, as they are a great service.
 
Just got the notification from Cloudflare too, although even though they may say your domain isn't affected, as far as I believe they've only checked it against third party data they had access to, so there is still a chance info has been leaked.

Will keep using them, as they are a great service.

As long as it wasn't cached somewhere there's nothing else you can do except hope no one else knew about this bug. They really have no idea what was leaked as this bug was just dumping random data.
 
It was removed from the GitHub site list at some point overnight, so I assume they confirmed it doesn't or at least was not impacted.

Ok but I thought it reported everything that even used the service in the first place. So was it just a case of the site reporting wrong or did Reddit just state they were unaffected?
 
Ok but I thought it reported everything that even used the service in the first place. So was it just a case of the site reporting wrong or did Reddit just state they were unaffected?

That's a question for the people maintaining the list, I suppose, or maybe something answered in a Reddit post on the topic (which I was actually trying to find).

There were a couple of other sites on last night that were removed and a couple of others updated w/ notes saying they were unaffected, so I'd be inclined to believe Reddit was just on the list in error.
 

I'll just go with Google on this, Cloudflare is downplaying the whole episode.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
 
Google must have cleared their cached results that match queries for the Cloudbleed bug, as searching for it now yields mere dozens of results compared to the number it was before based on comments a couple days ago, and all the currently matching results lack cached versions.
 
Google must have cleared their cached results that match queries for the Cloudbleed bug, as searching for it now yields mere dozens of results compared to the number it was before based on comments a couple days ago, and all the currently matching results lack cached versions.

The initial disclosure was supposed to be monday, but it kept getting pushed back. I guess as part of working with search engines to minimize fallout:

Thursday's disclosure came only after the leaked data was fully purged, with the help of the search engines.
 
They cleared the well known search engines, but I mean, there's got to be tons of private crawlers out there that might have cached some data.
 
Seems like maybe changing any passwords that may have any kind of payment thing associated with them might be a good idea just in case, but beyond that I'm waiting a bit to see what's what.
 
I see opencritic on the list.

We have no sensitive information or PII stored in our database. Our social providers will be** issued new private keys.

(Horray for not using email/password logins!)

(** - Edited for accuracy. We haven't yet refreshed the private keys, but this breach didn't expose them.)
 
Im LTTP but is there something we can do about it other than just changing passwords?

Edit: you only had one job Crunchyroll... no wonder i keep getting a lot of Cloudflare loading pages with Crunchy this last few months
 
i checked my coinbase account and i see a login attempt from China 8 days ago and today someone from Russia tried logging in. Both failed due to 2 step verification.
 
Fuck, I input my credit card number on Udemy last week among other things...should I get my card number changed?
 
Thankfully only three for me, one being MMO Champion which I hadn't logged into in like four years and the other Humble Bundle which I have 2FA on... Also had Crunchyroll, only signed up like a week ago but I guess I should probably change that PW too.


EDIT: Crap, forgot GMG used it and so does Nexus. >_< Neither showed in the add-on's list.

EDIT: GMG is currently down...
 
One local theater chain in Canada used this, they actually took the big step of sending out an email about the incident and encouraged all users to change their passwords. They definitely would not have if they thought it was nothing and from the email it sounded like others that had used the system had fallen prey to some using the stolen info.
 
This is actually much bigger than Yahoo's 16 billion of whatever accounts being hacked.

Cloudflare needs to be dragged out into the street for this. Large amounts of the entire planet are using Cloudflare services and were exposed.
 
This is actually much bigger than Yahoo's 16 billion of whatever accounts being hacked.

Cloudflare needs to be dragged out into the street for this. Large amounts of the entire planet are using Cloudflare services and were exposed.

This should be the death for them tbh. It's not the first time they fucked up. Still, people trust them.
 
So Troy Hunt, the guy who runs haveibeenpwned, wrote up some thoughts on CloudBleed that I think is really worth reading.

https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/
It has a cool name and a logo - this must be serious! Since Heartbleed, bug branding has become a bit of a thing and more than anything, it points to the way vulnerabilities like these are represented by the press. It helps with headlines and I'm sure it does wonderful things for bug (brand?) recognition, but it also has a way of drumming up excitement and sensationalism in a way that isn't always commensurate with the actual risk.
That said, the Cloudflare bug is bad, but the question we need to be asking is "how bad"? I saw the news break yesterday morning my time and I've been following it closely since. As I've written a lot about Cloudflare in the past and been very supportive of their service, I've had a lot of questions from people. I want to share my take on it - both the good stuff and the bad stuff - and per the title above, I'm going to be very pragmatic about the whole thing.
Before I get started and if you haven't read it already, start with Project Zero's outline of the bug then move onto Cloudflare's detailed blog post on the issue (that's the chronological order they were written in). Do read the comment threads on both too, they each contain valuable background and insight. Right, assuming you now understand the background, let's jump into it.
 
Status
Not open for further replies.
Top Bottom