Cloudbleed: Cloudflare have been exposing peoples passwords and other data

Forums › IT Pro and developers › Cloudbleed: Cloudflare have been exposing peoples passwords and other data

jarledb

Webhead
2232 posts

Uber Geek
+1 received by user: 772

Moderator

Trusted

Lifetime subscriber

# 208716 24-Feb-2017 13:08

Cloudflare Reverse Proxies are Dumping Uninitialized Memory

We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

This is scary. There is good reason to belive that a lot of peoples passwords and other sensitive data have been compromised through this security bug.

Not impressed by Cloudflare dragging their feet in making this exploit public.

Jarle on Twitter - Senson NZ - WordPress experts

hio77

'That VDSL Cat'
10213 posts

Uber Geek
+1 received by user: 2455

Trusted

Spark

Subscriber

# 1725658 24-Feb-2017 13:12

This is certainly a scary one..

@freitasm have an offical comment from cloudflare?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

clinty

604 posts

Ultimate Geek
+1 received by user: 128

# 1725669 24-Feb-2017 13:31

Link from the bottom of the Project Zero comments

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Clint

freitasm

BDFL - Memuneh
63368 posts

Uber Geek
+1 received by user: 13872

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1725670 24-Feb-2017 13:31

One person supports this post

Reading through the linked thread/disclosure I see Cloudflare had turned off the features causing the issue when notified, four days ago. I also see they have already provided a post-morten here.

We didn't use those features so I am not worried. I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

jbard

1370 posts

Uber Geek
+1 received by user: 17

# 1725675 24-Feb-2017 13:41

freitasm:

Reading through the linked thread/disclosure I see Cloudflare had turned off the features causing the issue when notified, four days ago. I also see they have already provided a post-morten here.

We didn't use those features so I am not worried. I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

It seems every site using Cloudflare is effected as if any customer on a server you shared had any of those features enabled then your data could have been exposed.

timmmay

14761 posts

Uber Geek
+1 received by user: 2746

Trusted

Subscriber

# 1725678 24-Feb-2017 13:45

Bit of a nasty bug. Looks like a very responsible response from CloudFlare. The Google guy went a bit overboard with his whining.

jarledb

Webhead
2232 posts

Uber Geek
+1 received by user: 772

Moderator

Trusted

Lifetime subscriber

# 1725684 24-Feb-2017 14:13

freitasm:

We didn't use those features so I am not worried.

Its an issue for anyone that has used a site that had this featured turned on.

Its prudent to remind people that reusing passwords is a bad idea. But any passwords you have used on sites affected by this vulnerability should also be considered compromised.

I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

I just think they took too much time doing it.

Jarle on Twitter - Senson NZ - WordPress experts

fizzychicken

286 posts

Ultimate Geek
+1 received by user: 70

# 1725740 24-Feb-2017 16:18

list of impacted sites being compiled here

edited for spelling (as always)

https://keybase.io/fizzychicken

freitasm

BDFL - Memuneh
63368 posts

Uber Geek
+1 received by user: 13872

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1725745 24-Feb-2017 16:29

And there it is - geekzone.co.nz, geekzone.nz, geekzone.co.in, geekzone.co.uk - some of these domains are redirects and never really used so not sure if these are affected or simply use Cloudflare.

In any case, as mentioned, another reason for not reusing passwords.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

nova

81 posts

Master Geek
+1 received by user: 19

Trusted

# 1725748 24-Feb-2017 16:41

One person supports this post

freitasm:

We didn't use those features so I am not worried. I think their response was effective.

Any site that used CloudFlare could have had their data leaked. Only sites that had the features enabled and malformed HTML would leak data in their responses, but the data could belong to any other site that shared the same server. Very similar to HeartBleed in that regard, except this offered it up for free, rather that requiring a specific exploit. I agree that CloudFlare looks to have been fairly responsive on this, the only legitimate complaint I can see is that they are downplaying the issue a bit.

timmmay

14761 posts

Uber Geek
+1 received by user: 2746

Trusted

Subscriber

# 1725755 24-Feb-2017 16:51

That's just a list of all websites that use CloudFlare.

fizzychicken

286 posts

Ultimate Geek
+1 received by user: 70

# 1725792 24-Feb-2017 18:36

timmmay:

That's just a list of all websites that use CloudFlare.

I should have probably added the word 'potentially'

https://keybase.io/fizzychicken

michaelmurfy

Mr Snotty
8619 posts

Uber Geek
+1 received by user: 4512

Moderator

Trusted

Lifetime subscriber

# 1726000 25-Feb-2017 01:13

Just got an email from Cloudflare:

Dear Cloudflare Customer:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO