Cloudflare might have leaked data.

[Skithusgavel 0]

The Cloudflare content delivery network for months has been leaking customer data, everything from private messages to encryption keys and credentials belonging to users of some of the Internet’s biggest properties.

The vulnerability has been addressed, Cloudflare CTO John Graham-Cumming said, but not before sensitive data was exposed belonging to users of a number of web-based services including Uber, Fitbit, OK Cupid and others.

Google Project Zero researcher Tavis Ormandy privately disclosed the issue last Friday to Cloudflare, which said that three “minor” features were to blame and had since been turned off. The first of the features, Graham-Cumming said, was turned on last Sept. 22, but he said that the time of greatest potential impact started Feb. 13 and lasted until Ormandy’s disclosure last Saturday.

Ormandy said in a bug report posted to the Project Zero feed that he saw some unexpected data surface during an unrelated project. The data was uninitialized memory among valid data that he determined was coming from a Cloudflare reverse proxy.

“It looked like that if an html page hosted behind Cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like Heartbleed, but Cloudflare-specific and worse for reasons I’ll explain later),” Ormandy said in his report. “My working theory was that this was related to their ‘ScrapeShield’ feature which parses and obfuscates html – but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.”

The issue has been informally called Cloudbleed given its similarities to Heartbleed, a major OpenSSL vulnerability in 2014 that also leaked sensitive information in memory.

Ormandy said it didn’t take long during an analysis of some live samples to see encryption keys, cookies, passwords, POST data and HTTPS requests for other Cloudflare-hosted sites among the data coming from other users.

Ormandy shared what he had found with Cloudflare and yesterday disclosed in a tweet that the service was leaking customer HTTPS sessions including those from Uber, Fitbit, 1Password, OKCupid and others.

 

Might be a good idea to change any passwords that have been used.

 

Read more at : https://threatpost.com/cloudflare-bug-leaks-sensitive-data/123891/

[smokeit 26]

Hello there.

Setup 2FA for your e-mail adress too, will save you some work.

[Erjh8765 19]

Don't bother.

Even if h@xx0r has both your username and pass, if you have 2FA enabled, h@xx0r has 1 in 999999 chance of accurately guessing your six digit code.

Good luck to the h@xx0r.

Enable 2FA.

[Skithusgavel 0]

Yes, well this was just a warning for you. And i can see a verry steep increese in hacked accounts just for the past few days.

[Erjh8765 19]

34 minutes ago, Skithusgavel said:

Yes, well this was just a warning for you. And i can see a verry steep increese in hacked accounts just for the past few days.

Not so.

GM Xerox merely responded to many topics regarding hacked accounts even from 10 days back, thereby bumping all said topics to the front page.