Jump to content

Cloudflare Leak: Which sites has Cloudbleed affected?


Reefa

Recommended Posts

Quote

It hasn’t been a very good week for Cloudflare’s security team. Late last week, Travis Ormandy from Google’s Project Zero discovered a rather large memory issue that was potentially leaking sensitive information from websites that use Cloudflare. That isn’t the best news to hear when you consider that Cloudflare works with over two million different websites, including some heavy hitters like Fitbit, OkCupid, and Uber.

 

Cloudflare says that it had the vulnerability fixed within hours after being contacted by Ormandy, but the major issue here is that this memory problem had been leaking information since September 22, 2016. Even worse is the fact that this information, which could include passwords, API keys, private messages, and cookies, could have been cached by search engines, turning the matter into more than your standard security breach.

 

Cloudflare has a very in-depth description of the bug over on its website, along with the solution and the lessons it’s learned from mishap. The worry now turns to which websites were affected. Though Cloudflare has yet to release a full list (and likely won’t), a Github user has put together an unofficial list of websites that use Cloudflare DNS – not just Cloudflare’s proxy, as he points out, which was at the center of this leak.

 

As you can see, the list is absolutely massive. Keep in mind that a website appearing on this list doesn’t necessarily mean its security has been compromised, but it’s good to include them out of an abundance of caution. Indeed, some sites on the list have been updated to reflect statements from their owners, which is the case for 1Password, a password manager service that has confirmed it wasn’t affected by this leak. Elsewhere, DoMa has shared a list of Cloudflare websites that have had public data leak out, though it again notes that any Cloudflare site can potentially be affected by this.

 

Cloudflare reassures that the amount of data that ultimately leaked is small – it says the “greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.” Still, when we consider that Cloudflare works with millions of sites around the world and that this vulnerability lasted for around six months, there’s plenty of reason to be concerned.

What you should do about Cloudbleed

Make no mistake, this vulnerability is big, and many people are justifiably comparing it to the Heartbleed vulnerability from a couple of years ago. It’s hard to tell just how big the vulnerability is at this point in time, and there will probably be many more details surfacing over the next few weeks. In other words, if you’re trying to find which sites were compromised so you know which passwords to change, the smartest move right now is to change all of your passwords without concern for the finer points.

 

Beyond that, you should activate two-factor authentication if a website you use offers it, and password managers are never a bad idea as they allow you to create and maintain unique passwords for each log in you have. Obviously, Internet users who are concerned about privacy should have been doing this already, but breaches like these always serve as a good reminder that it’s never too late to begin taking your online security more seriously.

 

source

 

Link to comment
Share on other sites


  • Replies 9
  • Views 647
  • Created
  • Last Reply
Quote

How to secure your data after the Cloudflare leak

Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and security services. Uber, Fitbit, OkCupid and 1Password are among Cloudflare’s millions of clients, and it’s possible that personal data such as passwords and cookies leaked from many client websites during the five months before the bug was discovered and reported by Tavis Ormandy, a Google researcher.

 

Unfortunately, it’s still not entirely clear how many Cloudflare customers were affected by the bug. The leaked data was cached by search engines in some cases, making the clean-up of the leak a difficult process. Although Google, Yahoo, Bing and other search engines worked to scrub the data before Cloudflare publicly disclosed the bug, researchers reported today that they were still finding samples of leaked data in search engine caches.

 

Quote

 

“You can still find random authentication cookies for sites affected by #CloudBleed with a simple Google search… and they work,” Hector Martin, a security researcher, tweeted. (The Cloudflare incident has earned the nickname CloudBleed after being compared to the HeartBleed vulnerability.) Martin discovered an authentication cookie for a financial website, Motherboard reported. The cookie would allow an attacker to log in to the site without a password, posing as a regular user.

 

Given that sensitive data is still floating around in search engine caches, it’s a good idea to reset your account passwords and enable two-factor authentication. You should also use a password manager to generate unique passwords for the websites you visit.

 

Cloudflare hasn’t uncovered any evidence that the bug was discovered by anyone other than Ormandy — but it never hurts to refresh your passwords, particularly since they might still exposed in a cache.

 

It’s also a good idea for sites that use Cloudflare to issue a forced password reset to their users (some Cloudflare customers, like Creative Commons and Bugcrowd, are already doing this). 

Quote

 

You can check out a list of Cloudflare customers to see if websites you use might be affected by the leak — but keep in mind that not all of Cloudflare’s clients were affected. Because of the way Cloudflare’s code was configured, the leak was at its worst for less than a week, when 1 in every 3,300,000 Cloudflare requests might have caused leakage. As Cloudflare notes, that’s just 0.00003% of requests.

 

source

 

Link to comment
Share on other sites


List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak

 

Homepage

https://github.com/pirate/sites-using-cloudflare

List 22MB 4,287,625 possibly affected domains

https://codeload.github.com/pirate/sites-using-cloudflare/zip/master

Cloudbleed List Checker

http://cloudflarelistcheck.abal.moe/

 

 

Link to comment
Share on other sites


I always hated Cloudflare because the run a monopoly they create there own business  they  host a whole bunch of DDoSer's  then sell sites protection to control  it that want protect the end user of the sites data as you can see   in the post above it's a real shame they host most of the internet and  not been sued out of business by now. because there crooks

 

Do these domains deserve CloudFlare's protection? Perhaps we all need to be protected from CloudFlare

http://www.crimeflare.com/cfsites.html

What makes this leak scary is Google sucked up all the info and if you posted anything on the internet since September 22, 2016 with you're real info they may of got it but many people use Gmail and they know who you are anyway. Ive not posted anything or done anything with my real info on the internet since the early 2000s I dont even use paypal  if i buy something I give someone else the money. People use to think I was crazy and paranoid but when something leaks this big it exposes them and the data i push out on the internet is of no value to any data harvester because it's not relevant too who i am  That's what people get for trusting the cloud with there real info.  :P

 

Link to comment
Share on other sites


"Cloudflare Says Cloudbleed Leaked Loads of Data, But No Trace of Exploitation"

 

Cloudflare investigated the mass leaking of encrypted browsing sessions Google's experts discovered but found no evidence of exploitation, despite the huge vulnerability the bug brought to the table.

 

The company admits that this vulnerability had the potential to be much worse, but, lucky for them, and the users, there's no evidence of malicious exploitation before the patch was rolled out.

 

"After a review of tens of thousands of pages of leaked data from search engine caches, we have found a large number of instances of leaked internal Cloudflare headers and customer cookies, but we have not found any instances of passwords, credit card numbers, or health records," Cloudflare says, adding that it has no stopped reviewing the incident.

 

The company adds that while millions of websites use Cloudflare, the vast majority of the customers had no data leaks, which is good news for obvious reasons.

 

The company is doing a pretty good job at trying to restore customer and user trust in its infrastructure. Both last week and now, Cloudflare issued a pretty long and detailed account of what happened and why and how things were handled.

 

Cloudbleed, but not really

It all started when Google security researcher Tavis Ormandy privately disclosed the bug to Cloudflare, which rolled out a fix in record time.

 

In its disclosure, Cloudflare explains that the problem was caused by faulty code in its edge servers which allowed data to run over the bugger, return memory that wasn't encrypted and expose people's browsing information. The list included HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, and loads more.

 

Google, Bing, and even China's Baidu worked together to cach some of the leaked data, scraping it from their search results to help protect people. More than 80,000 unique cached pages have been removed since the flaw was discovered, the company sad.

 

According to Matthew Prince, chief executive of the networking giant, 1.2 million requests were at risk of being leaked since the bug was inadvertently introduced back in September and until February 13 when the bug was fixed.

 

“The report is technically comprehensive and quite transparent. Even if we cannot verify the accuracy of all the numbers inside – for the moment, I don’t have a valid reason to question either its content, or conclusion. One may say that it’s written in a bit too positive manner, trying to assure their customers, but this is a globally accepted practice. [...] Cloudflare’s reaction to the incident was professional, rapid and transparent. It can serve as an example to other companies," Ilia Kolochenko, web security firm High-Tech Bridge CEO, told Softpedia.

 

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...