PSA: Cloudflare bleed

Generally an unmoderated forum for discussion of pretty much any topic. The focus however, is usually politics.
Post Reply
bannination
Captain
Posts: 5592
Joined: Sun Sep 16, 2012 7:58 am
Location: Hendersonville
Contact:
Contact bannination

PSA: Cloudflare bleed

Unread post by bannination »

Most importantly -- we are not affected.
Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using Cloudflare's proxy services (including HTTP & HTTPS proxy).

"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source

You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22scheme ... =h_&ia=web

Confirmed affected domains found in the wild: http://doma.io/2017/02/24/list-of-affec ... mains.html

Notable Sites

authy.com
coinbase.com
bitcoin.de
betterment.com
transferwise.com
prosper.com
digitalocean.com
patreon.com
bitpay.com
news.ycombinator.com
producthunt.com
medium.com
4chan.org
yelp.com
okcupid.com
zendesk.com
uber.com
poloniex.com
localbitcoins.com
kraken.com
23andme.com
curse.com (and some other Curse sites like minecraftforum.net)
counsyl.com
tfl.gov.uk
account.leagueoflegends.com
myaccount.nytimes.com
namecheap.com (no evidence of compromised data)
discordapp.com (affected)
glassdoor.com (no evidence of compromised data)
vultr.com (no evidence of compromised data)
fastmail.com (not affected, #2)
1password.com (not affected)
http://cloudflarelistcheck.abal.moe/ Someone setup this link so you could query websites that were effected.

Full information here: https://github.com/pirate/sites-using-cloudflare
Top
Post Reply

Return to “General Discussion Forum”