Cloudbleed: Cloudflare have been exposing peoples passwords and other data

Forums › IT Pro and developers › Cloudbleed: Cloudflare have been exposing peoples passwords and other data

jarledb

Webhead
3253 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#208716 24-Feb-2017 13:08

Cloudflare Reverse Proxies are Dumping Uninitialized Memory

We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

This is scary. There is good reason to belive that a lot of peoples passwords and other sensitive data have been compromised through this security bug.

Not impressed by Cloudflare dragging their feet in making this exploit public.

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1725658 24-Feb-2017 13:12

This is certainly a scary one..

@freitasm have an offical comment from cloudflare?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

clinty

1182 posts

Uber Geek

Lifetime subscriber

#1725669 24-Feb-2017 13:31

Link from the bottom of the Project Zero comments

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Clint

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1725670 24-Feb-2017 13:31

Reading through the linked thread/disclosure I see Cloudflare had turned off the features causing the issue when notified, four days ago. I also see they have already provided a post-morten here.

We didn't use those features so I am not worried. I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

jbard

1377 posts

Uber Geek

#1725675 24-Feb-2017 13:41

freitasm:

Reading through the linked thread/disclosure I see Cloudflare had turned off the features causing the issue when notified, four days ago. I also see they have already provided a post-morten here.

We didn't use those features so I am not worried. I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

It seems every site using Cloudflare is effected as if any customer on a server you shared had any of those features enabled then your data could have been exposed.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#1725678 24-Feb-2017 13:45

Bit of a nasty bug. Looks like a very responsible response from CloudFlare. The Google guy went a bit overboard with his whining.

jarledb

Webhead
3253 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1725684 24-Feb-2017 14:13

freitasm:

We didn't use those features so I am not worried.

Its an issue for anyone that has used a site that had this featured turned on.

Its prudent to remind people that reusing passwords is a bad idea. But any passwords you have used on sites affected by this vulnerability should also be considered compromised.

I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

I just think they took too much time doing it.

fizzychicken

313 posts

Ultimate Geek

#1725740 24-Feb-2017 16:18

list of impacted sites being compiled here

edited for spelling (as always)

https://keybase.io/fizzychicken

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1725745 24-Feb-2017 16:29

And there it is - geekzone.co.nz, geekzone.nz, geekzone.co.in, geekzone.co.uk - some of these domains are redirects and never really used so not sure if these are affected or simply use Cloudflare.

In any case, as mentioned, another reason for not reusing passwords.

nova

250 posts

Master Geek

Trusted

#1725748 24-Feb-2017 16:41

freitasm:

We didn't use those features so I am not worried. I think their response was effective.

Any site that used CloudFlare could have had their data leaked. Only sites that had the features enabled and malformed HTML would leak data in their responses, but the data could belong to any other site that shared the same server. Very similar to HeartBleed in that regard, except this offered it up for free, rather that requiring a specific exploit. I agree that CloudFlare looks to have been fairly responsive on this, the only legitimate complaint I can see is that they are downplaying the issue a bit.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#1725755 24-Feb-2017 16:51

That's just a list of all websites that use CloudFlare.

fizzychicken

313 posts

Ultimate Geek

#1725792 24-Feb-2017 18:36

timmmay:

That's just a list of all websites that use CloudFlare.

I should have probably added the word 'potentially'

https://keybase.io/fizzychicken

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1726000 25-Feb-2017 01:13

Just got an email from Cloudflare:

Dear Cloudflare Customer:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1726145 25-Feb-2017 16:00

I have terminated all current sessions, invalidating all session cookies. I posted more information here.

jarledb

Webhead
3253 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1726177 25-Feb-2017 16:48

Wise move. Anyone using Cloudflare for their website should do the same. I have done that to all sites I manage that use Cloudflare.