Comment by the_common_man
8 years ago
How does such a simple bug not get picked by auto tests, ci or end to end tests? I am baffled. Since we are behind cloudflare, I am not sure what I should tell my manager now. I lack the technical know how to parse that extremely technical article. Are we supposed to just assume all our traffic that passed via cloudflare is possibly compromised?
It's also a bit sad that travis has to contact cloudflare by twitter. Seriousy?
Edit: https://twitter.com/taviso/status/832744397800214528 is the tweet in question
I don't think he had to, but he got an answer in minutes. I don't think that's the part to be worried about.
As for what you should do: it sounds like the impact is relatively low. I'd personally change easily-changed secrets which go over the session, and potentially externally facing customer passwords (yes in enterprise, maybe not in consumer).
(I don't have any insider info on this breach, though, but I read both posts and know how the system works.)
Sounds bad to me...
"We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!)."
The trouble is you have no way to know if someone discovered this earlier, and harvested info for a long time.
Or, how much harvested info from your site might be in a Google cache for someone else's site.
Does 1Password really send anything meaningful in their API queries, or is it encrypted separately and then just sent over HTTPS?
4 replies →
Read Tavis' comments. He disagrees with you regarding the severity. This is a big f--king deal!
OK, "severe in impact", but there isn't much victims can actually do besides try to invalidate as much data which had potentially transited Cloudflare as possible.