Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords, and cookies and tokens used to authenticate users.
A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time, by making Web requests to affected websites, and to access some of the leaked data later by crafting queries on search engines.
"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."
The leakage was the result of a bug in an HTML parser chain Cloudflare uses to modify Web pages as they pass through the service's edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating email addresses, and excluding parts of a page from malicious Web bots. When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side Cusexcludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.
Source: ArsTechnica. Also at TechCrunch.
[Ed. Note: This story link was also submitted by darkfeline.]
(Score: 0) by Anonymous Coward on Friday February 24 2017, @09:43PM
I have watched in mild horror as SAAS has become ubiquitous, and I do worry that these things would actually fall under "its not a bug, its a feature!"
(Score: 2, Insightful) by Anonymous Coward on Friday February 24 2017, @09:53PM
One more step
Please complete the security check to access blog.cloudflare.com
... Followed by an unsolvable captcha.
Cloudflare has decided that my IP address is doing something naughty, so they have permanently blocked me from accessing 90% of sites on the Internet. That all cloudflare.com sites, so I can't even report the bug.
(Score: 0) by Anonymous Coward on Friday February 24 2017, @10:04PM
If your creator isn't able to make you smart enough to solve a CAPTCHA then don't expect our help!
(Score: 1, Funny) by Anonymous Coward on Friday February 24 2017, @10:23PM
If you're such a hotshot, explain how you would solve this captcha: http://imgur.com/a/lXFBY [imgur.com]
(Score: 0) by Anonymous Coward on Friday February 24 2017, @10:25PM
It appears to be an exclamation point "!"
(Score: 0) by Anonymous Coward on Friday February 24 2017, @10:46PM
that's the default captcha when you're blocking javascript from the first party.
(Score: 0) by Anonymous Coward on Saturday February 25 2017, @02:32PM
That one is EASY! The answer is "hunter2" (without the quotes).
(Score: 3, Informative) by fishybell on Friday February 24 2017, @10:17PM
Tor does have its downsides.
(Score: 3, Informative) by butthurt on Friday February 24 2017, @11:35PM
Try reading it on Ars Technica (link is in summary).
https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/ [arstechnica.com]
(Score: 0) by Anonymous Coward on Friday February 24 2017, @10:47PM
s/t
PS: Who the fuck checks for the end of a parsing loop with ==?
(Score: 0) by Anonymous Coward on Saturday February 25 2017, @12:43AM
...this stinks.
(Score: 3, Interesting) by number6 on Saturday February 25 2017, @08:21PM
After reading everything in these external links:
I now find it very very hard to respect anyone or any website choosing to include Cloudflare in their tool set.
From now on, I am assuming these facts are true unless proven otherwise:
(Score: 2) by Rivenaleem on Monday February 27 2017, @03:15PM
How many LoC's is that?