Cloudfare service used by 5.5 million sites may have leaked passwords and auth.tokens

antijoke

antijoke

antijoke

Caporegime
Joined
28 Jan 2003
Posts
40,002
Location
England
Oh dear, so it looks like quite a serious issue.

Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords, and cookies and tokens used to authenticate users.

A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time, by making Web requests to affected websites, and to access some of the leaked data later by crafting queries on search engines.

"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

Cloudflare researchers have identified 770 unique URIs that contained leaked memory and were cached by Google, Bing, Yahoo, or other search engines. The 770 unique URIs covered 161 unique domains. Thursday's disclosure came only after the leaked data was fully purged, with the help of the search engines.
Click to expand...

https://arstechnica.com/security/20...-exposed-a-potpourri-of-secret-customer-data/

Quote from a google engineer

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
Click to expand...

Also reading that people are searching websites with Google cache and finding all sorts from full uber requests to hotel bookings.

Full Google engineer quotes below

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
 
Yeah this is a major problem. People should change their passwords for any service that used Cloudflare. So that means Reddit, Discord and many other online services.
 
Mynight said:
Chances that you're affected are pretty slim but why risk it.
Click to expand...

Problem is that this data has been cached by web crawlers so places like Google and Bing. But they are trustworthy search engines and will probably delete the data. What about all the dodgy chinese crawlers that crawl the web for vulnerabilities? They potentially have all your login info for major sites and will now be trawling through all of their cached data looking to exploit all of this as soon as they can. You can not trust most web crawlers so change all your passwords NOW.
 
I'm sure the Google engineer would say all these things, given Google are about to become a major ISP Cert Auth. They'll want a slice of that business pie....
 
Django x2 said:
I'm sure the Google engineer would say all these things, given Google are about to become a major ISP Cert Auth. They'll want a slice of that business pie....
Click to expand...

If you really believe that there is something wrong with you. I'm sure Cloudflare would put a blog post up on their own blog just to help or Google. Or perhaps it is because there is really a MASSIVE security vulnerability that has been discovered that effects any website using the Cloudflare SSL proxy?
 
I've just been through a massive list of websites I'm a member of and changing all my passwords for websites that use Cloudflare. Took ages.
 
joeyjojo said:
Thanks, only changed one (transferwise).

Good a time as any to get a password manager, people. KeePass, LastPass, 1Password, etc.. See the thread over in Windows Software (IIRC).
Click to expand...

Would be nice if one of these password managers could automate the task of changing passwords on all your accounts. Inevitably something like this will happen again would be nice to just press a button and every site gets a new random password.
 
Cromulent said:
If you really believe that there is something wrong with you. I'm sure Cloudflare would put a blog post up on their own blog just to help or Google. Or perhaps it is because there is really a MASSIVE security vulnerability that has been discovered that effects any website using the Cloudflare SSL proxy?
Click to expand...

the bug affected +/-800 unique URLs across +/-160 unique domains. Given the amount of traffic going through CloudFlare servers, I’d say there is a minuscule probability of any individual’s data being exposed, let alone that data that is actually critically sensitive......
 
Django x2 said:
the bug affected +/-800 unique URLs across +/-160 unique domains. Given the amount of traffic going through CloudFlare servers, I’d say there is a minuscule probability of any individual’s data being exposed, let alone that data that is actually critically sensitive......
Click to expand...

I have no idea where you get your information from but that is totally false. It effects every website that uses Cloudflares features of email obfuscation, server side excludes and HTTPS rewrites. You should read the actual blog so you know what you are talking about. Basically if you login to any website that uses Cloudflare you should change your password. There are over 77 million websites using Cloudflare.

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
 
Django x2 said:
the bug affected +/-800 unique URLs across +/-160 unique domains. Given the amount of traffic going through CloudFlare servers, I’d say there is a minuscule probability of any individual’s data being exposed, let alone that data that is actually critically sensitive......
Click to expand...
Once you find one of these sites (a site with a malformed HTML tag which causes CF to leak the data), presumably you simply reload the page to keep getting different random chunks of data from any site running through their systems.

I've always thought of Cloudflare as a neat system, but one which is fascinatingly complex, often misunderstood, and I guess now not to be used on anything of importance, because when they have issues they are usually (always?) esoteric and serious. eg their recent leap-second DNS outage.
 
Cromulent said:
I have no idea where you get your information from but that is totally false. It effects every website that uses Cloudflares features of email obfuscation, server side excludes and HTTPS rewrites. You should read the actual blog so you know what you are talking about. Basically if you login to any website that uses Cloudflare you should change your password. There are over 77 million websites using Cloudflare.

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Click to expand...

The NCSC website. You know. That National Cyber Security Centre who are in talks with Cloudfare constantly and assisting with fixing the issue. 77 million websites weren't affected though. That's what you're forgetting. But it's ok, I'll take your cyber analyst armchair experience with the pinch of salt it requires.
 
It looks like CloudFlare are reaching out to their customers. I'll paste the email I've just received:

Dear [...],

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information would still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered exposed data on approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.


Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.


Matthew Prince
Cloudflare, Inc.
Co-founder and CEO
Click to expand...

I own a large website hosted by CloudFlare with many hundreds of thousands of users and various other websites. This is very serious but sounds like they jumped on it quickly enough to mitigate damage.
 
Dynix said:
It looks like CloudFlare are reaching out to their customers. I'll paste the email I've just received:

I own a large website hosted by CloudFlare with many hundreds of thousands of users and various other websites. This is very serious but sounds like they jumped on it quickly enough to mitigate damage.
Click to expand...

Cloudflare are playing it down.

The key point being at the time a lot of crawlers and people who got the error, didn't know what they were looking at. While now its released, you can bet malicious crawlers from china etc are now digging through for those pages in its archives.
 
Django x2 said:
The NCSC website. You know. That National Cyber Security Centre who are in talks with Cloudfare constantly and assisting with fixing the issue. 77 million websites weren't affected though. That's what you're forgetting. But it's ok, I'll take your cyber analyst armchair experience with the pinch of salt it requires.
Click to expand...

Since you haven't posted a source and I can't find anything on the NCSC website how am I supposed to respond? The simple fact of the matter is that Cloudflare themselves have acknowledged that this fault is causing issues on any Cloudflare website that used the SSL proxy and that was many thousands of websites. So until you provide a source that trumps the official stance of Cloudflare I'll continue to not believe you.
 
You must log in or register to reply here.
Back
Top Bottom