For months, a bug in CloudFlare resulted in malformed pages spraying uninitialized memory. This uninitialized memory contained anything that passed through CloudFlare: passwords, cookies, HTTP headers, HTTP content, even internal cloudflare TLS certificates.ANYTHING transited through CloudFlare could have been sprayed onto the internet. Even worse, HTTP caches (like Google, corporate web caches, ISP caches) have cached these malformed data.The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."Consequence of @taviso's Cloudbleed discovery: essentially any traffic which passed through Cloudflare (even https) recently might be public"https://twitter.com/octal/status/834925850470432769UPDATE: 1Password not affectedWhat you can doChange passwords on all CloudFlare sites. This includes:redditbitfinexbitstampcoinbaseetc...If you enabled 2FA recently in the past few months, it's possible that the 2FA secret ITSELF was leaked. You should disable and re-enable 2FA.You can read the full discovery here: http://bit.ly/2lxYeIB can see CloudFlare trying to downplay the impact of the incident, when Cloudbleed is bigger than Heartbleed. via /r/Bitcoin http://bit.ly/2lfqLzK
No comments :
Post a Comment