Vivaldi: The “Cloudbleed” issue: keeping you safe

[tao]

Due to the Cloudbleed issue, Vivaldi have reset the password for some Vivaldi Community users to be on the safe side.

 

Thursday February 23rd, the internet content distribution network provider (CDN) Cloudflare, which is used by Vivaldi to host some of our web sites, disclosed that their servers had for some months been leaking sensitive data, such as passwords, cookies, form submissions and some forms of encryption keys from some sites in HTTP responses from unrelated sites. The problem has been fixed since February 18th after they were notified about the issue by one of Google’s security researchers.

 

The leaks were likely very random, and it is impossible to say whether or not information for a given user leaked and if it was abused by somebody who had discovered the issue. When we became aware of the issue we investigated how this impacted our sites and our users. We determined that:

 

• Session cookies for our websites could have leaked, and we have therefore deleted the sessions that might be affected. For the most part this will not be visible for Vivaldi users visiting our community sites as their session is automatically regenerated.
• The passwords of users that logged into Vivaldi.net between September 21st and November 4th 2016 may be affected, and to be on the safe side we are asking these users to change their password the next time they log in using the ‘recover password‘ link. If they had a currently valid login session this morning, we have expired their session to force them to log in again. Apologies!
  After November 4th we changed to a login system that did not pass through Cloudflare. If you have used the affected password on other services, you should change your password on those services, too. Also please choose a different password for each service you use.
• We also did some internal changes to systems that might be affected.

 

At present, there are no indications that any Vivaldi.net accounts have been compromised due to this issue. We are taking the steps we outlined above to be on the safe side.

 

The issue has become known as “Cloudbleed” – a reference to the name given a similar issue OpenSSL’s implementation of the Heartbeat TLS extension a few years ago, which was named “Heartbleed”. The present issue was caused by buffer overruns (reading past the end of memory buffers) in code used by Cloudflare to parse HTML in some of their services. The memory read could contain data from previous sessions unrelated to the site being accessed. The issue has been present, with various degrees of severity, since September 2016.

 

< Here >

 

[tao]

“Cloudbleed”: addressing your questions":  We have been receiving a number of questions related to the so-called “Cloudbleed” issue, and we’d like to clarify these matters.

 

Please read here.

 

 

[mikie]

fwiw  

nsanedown is on the cloudbleedcheck list as potentially leaked info's.

[steven36]

7 hours ago, mikie said:

fwiw  

nsanedown is on the cloudbleedcheck list as potentially leaked info's.

So is over a million other sites, do you have any proof?  unless you found data in a search engines catch you dont know this for sure ,  that list of sites and cloudbleedcheck just list host that were using cloudflare  and they missed many potentially compromised sites so if you go by it a site you used may or may not leaked info and still if it on the list unless someone has proof it's hard to say.