Fwd: Serious Cloudflare bug exposed a potpourri of secret customer data

[Rich Kulawiec <rsk () gsp org>]

(h/t to Richard Forno)

After you're done reading the Ars Technica article excerpted and linked
below, you may also want to read:

        Cloudflare Reverse Proxies Are Dumping Uninitialized Memory
        https://news.ycombinator.com/item?id=13718752

and, as background:

        CloudFlare, We Have A Problem
        http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

and then perhaps consider this comment from the Ycombinator thread:

        Where would you even start to address this? Everything you've
        been serving is potentially compromised, API keys, sessions,
        personal information, user passwords, the works.

        You've got no idea what has been leaked. Should you reset all
        your user passwords, cycle all or your keys, notify all your
        customers that there data may have been stolen?

        My second thought after relief was the realization that even
        as a consumer I'm affected by this, my password manager has > 100
        entries what percentage of them are using CloudFlare? Should
        I change all my passwords?


---rsk


----- Forwarded message from Richard Forno <rforno () infowarrior org> -----

> From: Richard Forno <rforno () infowarrior org>
> Date: Fri, 24 Feb 2017 07:30:21 -0500
> To: Infowarrior List <infowarrior () attrition org>
> Subject: [Infowarrior] - Serious Cloudflare bug exposed a potpourri of
>       secret customer data
>
> Serious Cloudflare bug exposed a potpourri of secret customer data
>
> Service used by 5.5 million websites may have leaked passwords and authentication tokens.
>
> Dan Goodin - 2/23/2017, 8:35 PM
>
> Cloudflare, a service that helps optimize the security and performance of
> more than 5.5 million websites, warned customers today that a recently
> fixed software bug exposed a range of sensitive information that could
> have included passwords, and cookies and tokens used to authenticate
> users.
>
> A combination of factors made the bug particularly severe. First, the
> leakage may have been active since September 22, nearly five months
> before it was discovered, although the greatest period of impact was
> from February 13 and February 18. Second, some of the highly sensitive
> data that was leaked was cached by Google and other search engines. The
> result was that for the entire time the bug was active, hackers had
> the ability to access the data in real-time, by making Web requests
> to affected websites, and to access some of the leaked data later by
> crafting queries on search engines.
>
> "The bug was serious because the leaked memory could contain private
> information and because it had been cached by search engines," Cloudflare
> CTO John Graham-Cumming wrote in a blog post published Thursday. "We
> are disclosing this problem now as we are satisfied that search engine
> caches have now been cleared of sensitive information. We have also
> not discovered any evidence of malicious exploits of the bug or other
> reports of its existence."
>
> The leakage was the result of a bug in an HTML parser chain Cloudflare
> uses to modify Web pages as they pass through the service's edge
> servers. The parser performs a variety of tasks, such as inserting Google
> Analytics tags, converting HTTP links to the more secure HTTPS variety,
> obfuscating email addresses, and excluding parts of a page from malicious
> Web bots. When the parser was used in combination with three Cloudflare
> features???e-mail obfuscation, server-side Cusexcludes, and Automatic
> HTTPS Rewrites???it caused Cloudflare edge servers to leak pseudo random
> memory contents into certain HTTP responses.
> < - >
>
> https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/