Cloudflare reports a security problem with edge servers
-
A colleague just IM'd me this.
Cloudflare reports a security problem with edge servers. Seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
" our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies "
Code fix: One character—an instance of "==" that should have been ">=". That was it. -
For those wanting to check who may be affected. The more I researched the more I realized they really have no idea how bad it could be.
https://isc.sans.edu/forums/diary/Cloudflare+data+leakwhat+does+it+mean+to+me/22113/
-
https://twitter.com/Magoo/status/835608355943006210
https://twitter.com/BBcan177/status/834975143306866688 -
Wireshark Statement
https://blog.wireshark.org/2017/02/the-cloudflare-incident-and-its-impact-on-wireshark-org/
-
after extensive google dorking i didnt find any of my sites data lambasted anywhere in internet caches or anything. One of the reports i read stated that only sites with a specific set of cloudflare features turned on actually had their data garbage dumped around the web.
I even searched for cookie names my site uses, and snippets of code that are unique to my site, based on examples of bits from other sites that leaked, and still nada.
-
This is why you may not find anything.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 -
@webtyro:
This is why you may not find anything.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139@comment:
We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!).
@comment:
The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
I wonder what password manager(s) are affected. Glad my sensitive accounts don't actually have the real password. Wonder if my bank was affected.
Also sounds like Cloudflare is going to down play this. Doesn't inspire confidence.
-
"The examples we are finding are so bad"
That caught my attention too.
My bank does not use Cloudflare, already checked.
I am sure Cloudflare knows full well how bad this "could" be but they are hoping for the best. Since it was accidental they may hope the bullet may have missed them. Not sure what to think myself.
There could be some data cache almost anywhere. Expect the unexpected I guess. -
http://www.doesitusecloudflare.com/?url=passwordbox.com
-
@webtyro:
This is why you may not find anything.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139Quite aware of the reports, my team have been keeping up on them as the situation developed.
We also use a custom built tool to help populate googles index's for our site, and boost ourselves a bit in the ratings, and ive noticed that seems to keep our pages fairly up to date in googles cache, we dont see any of our older data/pages in the cache due to that.
-
Just curious but, is there any data missing from those dates. Any sign of purge being done regarding your site. Anything that should be there but is not or can you tell from your end.
-
@webtyro:
Just curious but, is there any data missing from those dates. Any sign of purge being done regarding your site. Anything that should be there but is not or can you tell from your end.
My site looks to be at the same level of indexing as it normally is roughly, looking at the google webmaster tools, that shows googles indexing status of your sites, and how their crawlers are doing on it.
Using my tool, the google crawlers are indexing my site almost 24 hours a day. I also coded in a auto-login cookie generator for the google bots IP CIDR's and Useragents so the site auto-loggins the crawlers to a limited account i made for them. This helps me track the time they are actually spending on the site as well.
