CLOUDFLARE SECURITY SCANDAL #Cloudbleed: memory leaks with buffer overruns! (FULL HTTPS TRAFFIC LEAKED)

piluso · February 24, 2017, 6:34am

Details about what happened, from Cloudflare:

Potential sites affected:

pirate/sites-using-cloudflare/blob/master/README.md

# List of Sites on Cloudflare DNS (archived)

This is an (archived) list of sites on Cloudflare DNS at the time of the [CloudBleed HTTPS traffic leak](https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/) announcement.
Original vuln [thread](https://bugs.chromium.org/p/project-zero/issues/detail?id=1139) by Google Project Zero.

Cloudflare has posted a very detailed response, explaining exactly what the implications of this leak are.  It thoroughly explains their language in earlier statements, and I highly recommend reading it before looking through this list for domains:
https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/

### DISCLAIMER:
This list is archived and no longer under active maintenance.  It may contain stale or inaccurate data that will not be corrected.  Do not link to it from press releases, it is not intended for end-users.  If people want to find it, they can Google it.

This list contains *all* domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data).  It's a broad sweeping list that includes everything.  Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.

Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns.  I've compiled an unofficial list here so you know where to start searching for sessions to reset and passwords to change.

See [issue #127](https://github.com/pirate/sites-using-cloudflare/issues/127#issuecomment-282385955) and [issue #87](https://github.com/pirate/sites-using-cloudflare/issues/87#issuecomment-282372235) for additional info about which sites are likely to be affected.

## Impact

**Between 2016-09-22 - 2017-02-18 session tokens, passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters.**

This file has been truncated. show original

@dirvine @nicklambert the affected sites includes DIGITAL OCEAN, COINBASE, BITFINEX, POLONIEX und KRAKEN.
Kill your sessions (logout) sign back in and change your passwords, and if you haven’t activated your 2FA, it is time to do it right now.

This is way worse than heartbleed.
I am tired of this shit. We need Safe Network now!!

whiteoutmashups · February 24, 2017, 3:00pm

I always use 2fa for everything, would that really help though? Always worry someone could grab my code when I’m setting it up

piluso · February 24, 2017, 3:45pm

You said it. If you set up the 2FA the last 5 months, you should disable it and reenable 2FA again.
The leaks are in plaintext of everything they had in memory: it includes API keys, plain text passwords, TLS certificates, full private messages, IP addresses, GPS coordinates, session tokens, HTTP POST, HTTP GET, etc…)
If the website you are using were using Cloudflare for DDoS protection (or to manage heavy traffic with their reverse proxies), then it essentially has been doing a MITM, and everything that you were supposed to be sending to your favorite website, was going through Cloudflare first.

Jabba · February 24, 2017, 3:49pm

You have to authorise a device with an already authorised device usually with 2FA.apps like ‘authy’, so they’re pretty robust.

The biggest weak point is your phone usually. I’d be more worried about using your number to back up any ID than your codes being grabbed. But obvs change and update all pw’s especially if they are duplicated for various sites.

I don’t even own a mobile… more trouble then they’re worth.

piluso · February 24, 2017, 4:25pm

Authy uses Cloudflare.

rand_om · February 24, 2017, 5:21pm

How is it possible that this kind of data is transferred unencrypted over cloudflare? I’m more and more confused how insecure everything is. I mean we know it’s really bad, but how bad is it actually if something like this can even happen? Wow, just wow.

piluso · February 24, 2017, 5:51pm

It is HTTPS Traffic, but once it arrives to the server, it is stored in memory in plaintext.

anon81773980 · February 24, 2017, 8:20pm

GLOBAL PASSPORT RESET NOW!

Looks like I’m spending all afternoon, setting up new passwords.

This is getting ridiculous.

nice · February 25, 2017, 9:37am

just in case :

$ egrep ‘safenetforum.org|safedev.org’ sorted_unique_cf.txt
safedev.org
safenetforum.org

Topic		Replies	Views
"Cloudflare CEO ponders his action"--The time for SAFE is Riper and Riper Marketing	0	571	August 23, 2017
Belgian lightning takes out Google Marketing	6	1018	August 20, 2015
Has anyone thought to have duckduckgo run a node? Marketing	10	1159	July 20, 2015
Is bandwidth reaching a limit? Marketing	12	1394	May 5, 2015
An entire telecom alliance trying to stop end-to-end web encryption Marketing	3	899	November 19, 2014

CLOUDFLARE SECURITY SCANDAL #Cloudbleed: memory leaks with buffer overruns! (FULL HTTPS TRAFFIC LEAKED)

Related Topics