[conspire] Cloudbleed ahoy

Rick Moen rick at linuxmafia.com
Sat Feb 25 11:11:06 PST 2017 

Need something to do this weekend?  How about changing your passwords on 
substantially all Web sites?

Maybe only those on Web sites that have used San Francisco company 
Cloudfare's CDN / reverse proxy services during the last six months.
Except, oops, you're not entirely sure which ones those are.

This is hardly the first time the firm has been in trouble over...
disturbing sets of facts.  (/me waves at any Cloudfare Legal people
reading this mailing list & archives.)

https://en.wikipedia.org/wiki/Cloudflare#Criticism_and_controversies
https://en.wikipedia.org/wiki/Talk:Cloudflare


Details via three current news articles follow, quoted in part.


http://gizmodo.com/cloudbleed-password-memory-leak-cloudflare-1792709635

  Change Your Passwords. Now. 
  Bryan Menegus
  Yesterday 9:29am

  A massive memory leak from Web services and security company
  Cloudflare may have exposed user data for thousands of sites. In other
  words: it’s time to change your passwords.

  There’s lots left to discover about the impact of the leakage—which
  is being called Cloudbleed, similar to the Heartbleed bug back in 2014.
  What we do know that makes this so worrisome is that some of the memory
  leaks, which may have included user data, was able to be cached by
  search engines. Once indexed, nefarious types may have scraped and
  stored that data.
  [...]


https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

  Massive Bug May Have Leaked User Data from Millions of Sites. 
  So... Change Your Passwords
  Lily Hay Newman. 
  Security  
  02.24.17. 12:53 PM.

  The Internet infrastructure company Cloudflare, which provides a
  variety of performance and security services to millions of Web sites,
  revealed late Thursday that a bug had caused it to randomly leak
  potentially sensitive customer data across the Internet.

  The flaw was first uncovered by Google vulnerability researcher Tavis
  Ormandy on February 17, but could have been leaking data since as long
  ago as September 22. In certain conditions, Cloudflare’s platform
  inserted random data from any of its six million customers—including big
  names like Fitbit, Uber, and OKCupid—onto the Web site of a smaller
  subset of customers. In practice, it meant that a snippet of information
  about an Uber ride you took, or even your Uber password, could have
  ended up hidden away in the code of another site.

  For the most part, the exposed data wasn’t posted on well-known or
  high-traffic sites, and even if it had been it wasn’t easily visible.
  But some of the leaked data included sensitive cookies, login
  credentials, API keys, and other important authentication tokens,
  including some of Cloudflare’s own internal cryptography keys. And as
  Cloudflare’s service spewed random information, that data was being
  recorded in caches by search engines like Google and Bing and other
  systems.
  [...]


https://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/

  Cloudbleed: Big Web brands leaked crypto keys, personal secrets thanks
  to Cloudflare bug
  Heartbleed-style classic buffer overrun blunder strikes in 2017
  24 Feb 2017 at 01:47, Iain Thomson

  Big-name Web sites leaked people's private session keys and personal
  information into strangers' browsers, due to a Cloudflare bug uncovered
  by Google researchers.

  As we'll see, a single character – '>' rather than '=' – in Cloudflare's
  software source code sparked the security blunder.

  Cloudflare helps companies spread their Web sites and online services
  across the Internet. Due to a programming blunder, for several months
  Cloudflare's systems slipped random chunks of server memory into
  Web pages, under certain circumstances. That means if you visited a
  Web site powered by Cloudflare, you may have ended up getting chunks of
  someone else's Web traffic bunged at the bottom of your browser page.

  For example, Cloudflare hosts Uber, OK Cupid, and Fitbit, among
  thousands of others. It was discovered that visiting any site hosted by
  Cloudflare would sometimes cough up sensitive information from
  strangers' Uber, OK Cupid, and Fitbit sessions. Think of it as sitting
  down at a restaurant, supposedly at a clean table, and in addition to
  being handed a menu, you're also handed the contents of the previous
  diner's wallet or purse.

  This leak was triggered when Web pages had a particular combination of
  unbalanced HTML tags, which confused Cloudflare's proxy servers and
  caused them to spit out data belonging to other people – even if that
  data was protected by HTTPS.
  [...]

More information about the conspire mailing list