Welcome to WebmasterWorld Guest from 54.157.239.93

Forum Moderators: phranque

Featured Home Page Discussion

CloudFlare Leaked Passwords - CloudBleed Bug

     
1:37 pm on Feb 24, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14427
votes: 306


Read the BBC article here. [bbc.com]

Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network.


Google working to erase the data from its public cache. CloudFlare CEO downplays it, while the Google Engineer who discovered it calls it "so bad" they have to work through the weekend to clean up the exposed files still in Google's public cache.


It was discovered by Google engineer Tavis Ormandy, who compared it to the 2014 Heartbleed bug.

"We keep finding more sensitive data that we need to clean up," he wrote in a log of the discovery [bugs.chromium.org]. "The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean up."


Read the BBC article here. [bbc.com]
2:16 pm on Feb 24, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7742
votes: 262


SECURITY
Cloudflare’s WAF, DDoS protection, and SSL defend website owners and their visitors from all types of online threats
I wonder if they had to publish security breaches along with their hyperbole, would it help with diligence?
3:58 pm on Feb 24, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4853
votes: 11


It has the potential to be a really messy bug, given how many websites use Cloudflare. The safest best is to change any security credentials, though it would seem the actual threat is quite small.

Here is a collated list of sites that use Cloudflare, based on the top Alexa million.
[github.com...]
5:13 pm on Feb 24, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ogletree is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 14, 2003
posts: 4307
votes: 35


Are they saying that people got this list or that there was a potential to get the list?
5:46 pm on Feb 24, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts: 348
votes: 49


Sounds very bad for CloudFlare ! The problem of big companies / services, is that, as soon as a leak is discovered / exploited, this is tons of sites / people affected. (Imagine if CloudFlare is taken down tomorrow, by an attack, how millions of sites will be inaccessible for example).
7:15 pm on Feb 24, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4853
votes: 11


Are they saying that people got this list or that there was a potential to get the list?


There's been data leaking for months and it's just been corrected. Cloudflare are claiming that only 150 sites were affected. It only affects customers who were using specific features of their system.

They've approached Google and other well-known crawlers looking to clean up any sensitive cached data and have it removed. Of course, there's many more crawlers out there that may have grabbed sensitive data.
2:45 am on Feb 25, 2017 (gmt 0)

New User

joined:Jan 27, 2017
posts:20
votes: 3


I have 2 sites on CloudFlare. I changed my WordPress salts to log everybody out and changed admin passwords. Do you think it is sufficient or should I do also something else?
I also have Piwik Analytics, changed my admin password but don't know how to do force log out there.
5:08 am on Feb 25, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 30, 2002
posts: 2546
votes: 50


Just by cloudflare.com DNS from the 01 Feb 2017 zones:

com 1396941
net 150063
org 106260
biz 14186
info 59731
mobi 3764
asia 2384
new gtlds 1185422

Some might only be using Cloudflare for DNS purposes.

Regards...jmcc
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members