← Back to context

Comment by dantiberian

8 years ago

From Twitter:

"@taviso their post-mortem indicates this would've been exploitable only 4 days prior to your initial contact. Is that info invalid?" - https://twitter.com/pmoust/status/834916647873961984

"@pmoust Yes, they worded it confusingly. It was exploitable for months, we have the cached data." - https://twitter.com/taviso/status/834918182640996353

9 comments

dantiberian

Reply
jgrahamc  8 years ago

From my blog on this:

    The three features implicated were rolled out as follows. 
    The earliest date memory could have leaked is 2016-09-22.

    2016-09-22 Automatic HTTP Rewrites enabled 
    2017-01-30 Server-Side Excludes migrated to new parser 
    2017-02-13 Email Obfuscation partially migrated to new parser 
    2017-02-18 Google reports problem to Cloudflare and leak is stopped

  • dantiberian  8 years ago

    With respect, the blog post buries the user with details. In my opinion, there should have been in bold at the top something like:

    Title: Security report on memory disclosure caused by Cloudflare parser bug

    (This is a security report, "incident" underplays this. Memory leak sounds a lot more innocuous than memory disclosure).

    Data from any website that was proxied via Cloudflare since September 22, 2016 may have been leaked to third parties via a bug in Cloudflare's HTML parser. Operators using Cloudflare should:

    * Invalidate session cookies

    * Reset user passwords

    * Rotate secrets

    * Inform users that private data (chats, pictures, passwords, ...) may have been inadvertently leaked by Cloudflare.

    * ...

    Users using websites proxied by Cloudflare should:

    * Reset their passwords

    * Log in/out of sessions to remove session tokens

    (Begin rest of post)

    Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. ...

  • benwilber0  8 years ago

    Well fuck. I have no idea what (if any, or all) of my authenticated web sessions have been going through CloudFlare in the last 6 months. How do I even start to protect myself from this?

    • sarcasmic  8 years ago

      1. rotate passwords, tokens, auth stuff on any and all service you use that may have used CloudFlare in this time period (as of time of writing this list has not been enumerated)

      2. hope that no personally-identifiable info or damaging plaintext that can be tied back to you has been exposed, but you will probably never know for sure

      3. join class action lawsuits if you so desire and receive the chump change that is your share once they inevitably get settled

      4. ponder what it truly means to willingly (or unknowingly) give information to or through a "trusted third-party" who may employ other "trusted third-parties"

      5. languish in unsatisfactory answers and outcomes, return to step 2.

      2 replies →