Cloudflare bug -- "Cloudbleed" -- February 24, 2017

Started by Jason, February 24, 2017, 11:12:28 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason


This is big news and could theoretically impact sensitive data for thousands (if not millions) of websites.
 
Here are a few stories although they're popping up by the hour:

https://www.forbes.com/sites/thomasbrewster/2017/02/24/google-just-discovered-a-massive-web-leak-and-you-might-want-to-change-all-your-passwords/#328dae163ca3

https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165#.7yhhdigkg

https://www.wordfence.com/blog/2017/02/cloudflare-data-leak/?utm_source=list&utm_campaign=022317&utm_medium=email

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
 
"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."
 
The bad thing about this is that during the time this issue existed (sounds like 5 months with the most activity in the past two weeks), search engines were crawling and caching these malformed pages meaning that you can visit search engines and search for specific things and find them archived.  This could be pages with security info, private messages, passwords, etc. injected right on the pages.  Google is working to find/clean these pages but just think of all the search engines out there globally that now have this information saved.
 
It might be worth the time to change all sensitive passwords as a precaution.

Note: Charlottezweb does not utilize Cloudflare itself although I'm aware of some customers who do.  I'm posting this story as it impacts countless websites that I'm sure we all use that do utilize their service.