Author Topic: Cloudflare Vulnerability Found - Time to Change Passwords  (Read 388 times)

0 Members and 1 Guest are viewing this topic.

Offline pimathbrainiac

  • Occasionally I make projects
  • Members
  • LV10 31337 u53r (Next: 2000)
  • **********
  • Posts: 1731
  • Rating: +136/-23
  • dagaem
    • View Profile
Cloudflare Vulnerability Found - Time to Change Passwords
« on: February 24, 2017, 12:34:58 am »
Cloudflare has been compromised. It appears that someone has been exploiting a bug in Cloudflare to retrieve data in a manner similar to the heartbleed bug. Odds are, most of these sites have been affected, including forums such as Omnimaga, so:


CHANGE YOUR PASSWORDS


(Incomplete) list of sites using Cloudflare: https://github.com/pirate/sites-using-cloudflare


Source: https://www.lifehacker.com.au/2017/02/cloudflare-cloudbleed-bug-exposes-sensitive-data-who-is-affected/
« Last Edit: February 24, 2017, 12:38:54 am by pimathbrainiac »
I am Bach.

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7906
  • Rating: +371/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
« Last Edit: February 24, 2017, 05:58:36 am by Sorunome »

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6080
  • Rating: +316/-36
  • C'est la vie
    • View Profile
    • Eeems
Re: Cloudflare Vulnerability Found - Time to Change Passwords
« Reply #2 on: February 24, 2017, 12:44:06 pm »
Cloudflare has not reached out to us and at this time we are going to treat it as we are not affected.
I'm moving this topic for now to general discussion.

To follow up on this, I received this email from cloudflare about the situation.
Quote
Dear Cloudflare Customer:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO
« Last Edit: February 24, 2017, 12:51:57 pm by Eeems »
/e

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7906
  • Rating: +371/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Re: Cloudflare Vulnerability Found - Time to Change Passwords
« Reply #3 on: February 24, 2017, 01:24:35 pm »
As @Eeems reminded me on IRC we actually use extra-RSA tunneling for transmitting passwords, meining that as long as you had JS enabled while logging in and got that "Loading..." bar thing on the top it was impossible for your password being accidentally leaked somewhere, as it was additionally rsa-encrypted with a keypair of which the private key only existed for a few seconds and never left the omnimaga servers.

However, we just noticed that unfortunately the left login widget on the front page for some reason that tunneling isn't turned on, so in the unlikely event that sensitive information did get leaked somehow there is a very slim chance of your password being leaked.

Please note that if you haven't logged in since september or so when the bug was introduced, and only stayed logged in via cookies, you are good-to-go anyways :)

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6080
  • Rating: +316/-36
  • C'est la vie
    • View Profile
    • Eeems
Re: Cloudflare Vulnerability Found - Time to Change Passwords
« Reply #4 on: February 24, 2017, 01:32:26 pm »
I have also forcibly logged everybody out, so there is no way that someone could attempt to use your session cookie to gain access in case that was leaked.

EDIT: Also, for reference here is where we started talking about this on IRC: http://beta.chat.eeems.ca/1/3/2017-2-24#17:41:28
/e

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7906
  • Rating: +371/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Re: Cloudflare Vulnerability Found - Time to Change Passwords
« Reply #5 on: February 24, 2017, 03:29:25 pm »
The frontpage login widget uses the RSA tunnel now, too.

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline shmibs

  • android & human bean
  • Administrator
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2132
  • Rating: +281/-3
  • ohithur
    • View Profile
    • shmibbles.me
Re: Cloudflare Vulnerability Found - Time to Change Passwords
« Reply #6 on: February 24, 2017, 09:42:34 pm »
thanks for this, at any rate. am sort of out of the loop, so may not have heard for a while