Comment by fagnerbrack
8 years ago
TL;DR for the lazy ones:
> The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
This is huge.
I mean, seriously, this is REALLY HUGE.
I don't get it. How is this info leaked? From the blog posts, it seems that "only" the HTTP Headers are being leaked and somehow being crawled by Google? But since when does Google store HTTP request info? Can someone explain?
Headers (among other sensitive stuff) were being leaked inside document bodies.
So just to clarify: some bug makes Cloudflare leak the HTTP Headers into the HTML being served and those HTML pages containing sensitive Info got cached by Google (and others)?
10 replies →
Cloudflare handles SSL for a lot of sites. It decrypts everything and passes it along.
For certain other sites, with malformed html, there is a bug that caused it to grab random data (headers and body) from memory and include it in the body of the response HTML. (Some html rewriting product that cloudflare offered was broken and it ran on the same servers.)
This stuff got sent to peoples browsers and also to web indexers like Google or Bing.
Google lets you search for stuff and will also show you the original page that it scraped, making it easy to find this data.
Edit: Also you may be seeing more headers in examples because headers are easier to search for.
Everything is leaked, headers are common but full plaintext is leaked in some instances.
HTTP Headers were being including the http response bodies of other random websites. Those websites were being crawled and cached.
requesting a page with a specific combination of broken tags, when done through cloudflare, will cause neighboring memory to be dumped into the response. op suspects this is due to a bounds checking bug on a read or copy. one can imagine this can be potentially kilobytes of data in one go.
since anyone can put a broken page behind cloudflare, all you need to do is request your own broken page through cloudflare, and start collecting the random "secure" data that comes back.
Just deleted my LastPass account - have been converted to KeePass for over a month.
Did Lastpass use Cloudflare? That would be a disaster.
Apparently they do not: https://twitter.com/LastPassStatus/status/835136572798431232
It does not appear that LP was using Cloudflare. Even if they were, at most, your master password is all that leaked. All of their encryption and decryption is done on the client.
2 replies →