CloudFlare Leaked Passwords - CloudBleed Bug - Webmaster General forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

CloudFlare Leaked Passwords - CloudBleed Bug

martinibuster

1:37 pm on Feb 24, 2017 (gmt 0)

Read the BBC article here. [bbc.com]

Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network.

Google working to erase the data from its public cache. CloudFlare CEO downplays it, while the Google Engineer who discovered it calls it "so bad" they have to work through the weekend to clean up the exposed files still in Google's public cache.

It was discovered by Google engineer Tavis Ormandy, who compared it to the 2014 Heartbleed bug.

"We keep finding more sensitive data that we need to clean up," he wrote in a log of the discovery [bugs.chromium.org]. "The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean up."

Read the BBC article here. [bbc.com]

keyplyr

2:16 pm on Feb 24, 2017 (gmt 0)

SECURITY
Cloudflare’s WAF, DDoS protection, and SSL defend website owners and their visitors from all types of online threats

I wonder if they had to publish security breaches along with their hyperbole, would it help with diligence?

brotherhood of LAN

3:58 pm on Feb 24, 2017 (gmt 0)

It has the potential to be a really messy bug, given how many websites use Cloudflare. The safest best is to change any security credentials, though it would seem the actual threat is quite small.

Here is a collated list of sites that use Cloudflare, based on the top Alexa million.
[github.com...]

ogletree

5:13 pm on Feb 24, 2017 (gmt 0)

Are they saying that people got this list or that there was a potential to get the list?

Dimitri

5:46 pm on Feb 24, 2017 (gmt 0)

Sounds very bad for CloudFlare ! The problem of big companies / services, is that, as soon as a leak is discovered / exploited, this is tons of sites / people affected. (Imagine if CloudFlare is taken down tomorrow, by an attack, how millions of sites will be inaccessible for example).

brotherhood of LAN

7:15 pm on Feb 24, 2017 (gmt 0)

Are they saying that people got this list or that there was a potential to get the list?

There's been data leaking for months and it's just been corrected. Cloudflare are claiming that only 150 sites were affected. It only affects customers who were using specific features of their system.

They've approached Google and other well-known crawlers looking to clean up any sensitive cached data and have it removed. Of course, there's many more crawlers out there that may have grabbed sensitive data.

ambt

2:45 am on Feb 25, 2017 (gmt 0)

I have 2 sites on CloudFlare. I changed my WordPress salts to log everybody out and changed admin passwords. Do you think it is sufficient or should I do also something else?
I also have Piwik Analytics, changed my admin password but don't know how to do force log out there.

jmccormac

5:08 am on Feb 25, 2017 (gmt 0)

Just by cloudflare.com DNS from the 01 Feb 2017 zones:

com 1396941
net 150063
org 106260
biz 14186
info 59731
mobi 3764
asia 2384
new gtlds 1185422

Some might only be using Cloudflare for DNS purposes.

Regards...jmcc