Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Bug Encryption Cloud Communications Network Networking Privacy Programming Security The Internet

Cloudflare Leaks Sensitive User Data Across the Web (theregister.co.uk) 87

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica
This discussion has been archived. No new comments can be posted.

Cloudflare Leaks Sensitive User Data Across the Web

Comments Filter:
  • by Anonymous Coward

    If this unremarkable bug in a proprietary cloud platform didn't have a cutesy name, it wouldn't be reported in the news. It would have just been fucking fixed, because fixing it is the important part, not running bullshit news about it.

    • by Anonymous Coward on Friday February 24, 2017 @08:31AM (#53922995)

      Um.. Considering the size and scope of Cloudflare, this pretty massive news.

      And Cloudflare fixed it within 7 hours of learning about it. And the first thing Google did when discovering the bug was immediately reach out to Cloudflare. They went so far as to turning to Twitter to find the fastest possible route of alerting someone at Cloudflare.

      But please continue to keep swearing about nothing.

      • by SumDog ( 466607 ) on Friday February 24, 2017 @01:06PM (#53924017) Homepage Journal

        I'm really surprised at the comments here. This is probably one of the largest information leaks/vulnerabilities of the past several years, and definitely the largest tech story of 2017. This is way larger than Google breaking SHA-1 (in a non-trivial way).

        The HackerNews story has hundreds of comments explaining just how bad the situation is.

        • by Anonymous Coward

          It's because everyone technical has already left slashdot, and this is just a shadow of the former glory, full of racism and misogyny.

          Its like a tech mos eisley honestly. I've about had my limit myself.

        • Part of what I do for a living, and have done for many years, is evaluate these kinds of vulnerabilities. This could have been really, really bad, a major story. Certainly it would be a big deal if all of the following were true:

          If the issue existed for a long time.
          If the bad guys knew about it before it was fixed.
          If it affected sites that had something vaguely resembling valid html.
          If it could have leaked tls/ssl keys.

          In the security field, we have a mostly objective scoring system called CVSS which gives

      • by Anonymous Coward

        And in their blog, they provided a highly detailed explanation of the bug, how it worked, and how they fixed it. You just don't see that kind of customer engagement and detail in most tech companies.

    • by Anonymous Coward

      Cloudflare = Crimeflare

      And who knows how long this bug has been present. Hell it may have even been intentional so the FBI, NSA, CIA, and various other spy agencies could eavesdrop.

      • by Anonymous Coward

        Cloudflare = Crimeflare

        A list of impacted sites begs to differ. [github.com]

      • Re: (Score:3, Interesting)

        Yep, CloudFlare is spraying supposedly TLS-encrypted data all over the internet in clear text?! What the fuck!? I almost want to laugh at CloudFlare's misfortune, except every internet user including me is probably affected by this. What the hell is the point of HTTPS at all, when so much HTTPS traffic is being purposely MITM'd for profit by CloudFlare? A very large part of the web is living under their leaky roof, meantime many in the professional networking community encourage this and help implement it.
  • Lovely (Score:2, Insightful)

    unnamed services for hotel booking and password management.

    And THAT is why I don't use online password management sites, bloody stupid idea anyway, talk about putting all your eggs into one basket.

    • Re:Lovely (Score:4, Interesting)

      by fuzzyf ( 1129635 ) on Friday February 24, 2017 @07:07AM (#53922835)
      As long as passwords are encrypted and decrypted on the client it's not really that much of a risk.

      I think the benefit of having different complex passwords for every web/system with easy access from all devices is worth it. At least I havent managed to set up a better system for myself... yet.

      MFA and a strong master password is pretty good for protecting your passwords.
    • Re:Lovely (Score:5, Interesting)

      by Troed ( 102527 ) on Friday February 24, 2017 @07:19AM (#53922853) Homepage Journal

      It's fine that you don't, but those of us who are aren't really worried. Client side encryption means not trusting the transport layer - even https.

      No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.

      https://blog.agilebits.com/201... [agilebits.com]

      (I use LastPass myself)

      The security I get from having unique 14+ char completely random passwords for _every_ site by far outweighs the slight possibility that access to both my encrypted binary as well as my master password slips out. The by far easiest attack vector for that would be hacking my systems, and if that happens any system I log on to can be snooped then and there as well.

      • >unique 14+ char completely random passwords

        loln00b. ;)

        I use 64-character passwords generated using openssl SHA-1 being fed with /dev/random.

        I'm not even kidding. After the FIFTH GODDAMN WEBSITE LEAKED MY PASSWORDS IN ONE YEAR, I became outright furious. I'm still waiting for Congress to stop sucking corporate dicks and pass a law making it explicitly illegal to lose a MILLION user accounts, let alone a fuckin' BILLION like Yahoo did.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Problem with 64-character passwords is that a lot of websites/services truncate passwords above a certain length, often without telling the user *cough* PayPal.

          • No, the worst part is when they perform the truncation on the web end and your 64 character password gets cut down before being processed, then at a later date they change the limit and your 64 character password gets cut down to a different length before being processed, thus preventing you from logging in. This can also happen if they decide to disallow certain characters and don't bother considering that user's may have them in their passwords already. It can also happen if they silently strip out cert

  • I am genuinely curious about the actual advantages of the CloudFlare CDN.

    Some time ago, I tried their most basic package and didn't notice any improvement. In fact, that site had some slow-page-loading issues which their CDN didn't reduce; additionally, some unknown-until-that-moment errors started appearing. Note that the whole point of that offer was convincing me to buy the proper version, so I assume that it was good enough. This was a quite short experience and that's why I don't have a clear opinion
    • by larkost ( 79011 )

      The main advantages are that a) they can take a lot more load that the majority of sites can by both doing pretty good caching and having a lot of geographic redundancy (and the DNS services to handle that), and b) have an operations team that can better respond to DOS attacks than most of their customers are large enough to have (plus network-geographicly distributed resources to hopefully mitigate the attack).

      They are probably not going to be faster for small-traffic websites, and they are adding a layer

      • Thanks for the info. DoS protection makes much more sense than the affordable-CDN-for-everyone which I thought that was their primary business.
    • I use Cloudflare for a variety of sites mostly for DDOS protection. And it seems to work pretty well for that.

      They claim to do a lot of caching of static content but since most of my sites are dynamic (they have to be) I've never seen much benefit from that end of it.

      • Thanks for sharing your experience. As commented above, protection against denial of service is a much more plausible explanation for their success than providing affordable CDNs.
        • I can say that I've been happy with them, and they do provide some decent/interesting metrics on site traffic.

          They also have some interesting features like SSL without a cert for your site, HTTPS rewriting, DNS fiddling, some firewall stuff and page rules (which I don't use but they look like they could be very useful).

          They do seem to screen out a lot of malicious traffic, if their stats can be believed (and I've no reason not to think they're real). The site is very straightforward to use and easy to figu

          • They do seem to

            This is the bit which kind of puzzles me. During my quick test, I recall to have seen many threats being blocked. On the other hand, before using it or after disabling it, my site continued running fine (although motivatedly slow). So, the only improvement which I saw on the security front was getting a list of stopped threats, about which I wasn't aware and which didn't seem to have a relevant impact on my site.

            I can say that I've been happy with them

            This is all what matters. Although I didn't get a good impression about all this, I recognise my

            • This is the bit which kind of puzzles me. During my quick test, I recall to have seen many threats being blocked. On the other hand, before using it or after disabling it, my site continued running fine (although motivatedly slow). So, the only improvement which I saw on the security front was getting a list of stopped threats, about which I wasn't aware and which didn't seem to have a relevant impact on my site.

              I think that 99.9999% of attacks don't succeed which is why we never notice them. Sometimes even when they do succeed we may not notice that the site's been compromised. It depends what the end goal is. Maybe they just want file storage space, maybe they use the site as a low-level attack platform, or use it as part of a botnet, or to run more scripts, etc.

              I look through my server logs on some of my unprotected sites and I see a never-ending stream of GET-style attacks and queries and attempted SSH logins

              • I look through my server logs on some of my unprotected sites and I see a never-ending stream of GET-style attacks and queries and attempted SSH logins which are absolutely malicious in nature

                I have also seen lots of malware-wannabe bots visiting my two sites (with very low traffic), but never really dangerous attempts. Most of them do completely stupid actions like expecting the database to be in a very specific location (and accessible via HTTP!!) or visiting pure gibberish. The less stupid ones look for what seem known exploits of applications, but in a pretty naive and arbitrary way (e.g., expecting to find WordPress files in a specific location when WordPress isn't even installed on that se

                • (e.g., expecting to find WordPress files in a specific location when WordPress isn't even installed on that server)

                  Yep, these are the mindless bots, just hitting every domain that they can, checking for a Wordpress installation. If they find one then they kick into a more dedicated exploit mode or they note the URL and another bot comes along later to do a comprehensive search for vulnerable WP plugins.

                  If you use Wordpress, I highly recommend the "Wordfence" plugin- it stops a LOT of stuff and is highly configurable. I consider it a must-have plugin for any WP site.

                  -

                  Thanks again for your feedback and helping me understand better what CloudFlare provides exactly

                  You're welcome.

                  • If you use Wordpress

                    No, I don't. WordPress or anything else. As said, I created both my sites from scratch (= wrote each single character of their codes); as far as programming is my work, why not using my sites as a permanent self-promotion? In the past, I did relied on WordPress to take care of secondary functionalities and didn't like that experience too much (I prefer my code :)).

                    must-have plugin for any WP site.

                    Even in the unlikely scenario of using WordPress, I wouldn't use plugins unless under very specific circumstances. If WP implies an increase of u

                    • PS: just in case that it wasn't clear, bear in mind that with "my sites" I meant customsolvers.com [customsolvers.com] (main site) and varocarbas.com [varocarbas.com] (where I store R&D-oriented anything). Their main purpose is to promote and to give some visibility to my work as a programmer (I don't get any direct income from the visitors they get). Also note that I don't manage others' websites (don't even build them).
                    • No, I don't. WordPress or anything else. As said, I created both my sites from scratch (= wrote each single character of their codes);

                      Same here for 99% of my sites. There are a couple of quickie Wordpress sites I've put up (one for my wife's business, stuff like that) but other than that I code it all by hand, no IDE, just CEdit and a lot of coffee. :)

                    • by hand, no IDE, just CEdit and a lot of coffee. :)

                      Exactly like me except for the editor (NotePad++ over here); at least, when using PHP. With other languages like C#, I also enjoy fully-featured IDEs.

                    • Heh heh, I used Notepad++ for a long time.

                      Give Crimson Editor (CEdeit) a try, it's a lot like Notepad++ but it does a few extra things like bracket-matching, keyword highlighting some other handy stuff: http://www.crimsoneditor.com/ [crimsoneditor.com]

                      I use it in a very 'minimal view' mode, but I like it a lot.

                    • Give Crimson Editor (CEdeit) a try, it's a lot like Notepad++ but it does a few extra things like bracket-matching, keyword highlighting some other handy stuff

                      Notepad++ does all these things since long time ago. Perhaps you should re-try it :)

    • Also don't forget about Universal SSL, which I think is related to the problems here (?). Having a central point to manage name zones is another unintended feature, you can swap domains from hosts with minimal DNS downtime. The firewall features are nice, you can block single IPs and challenge whole countries on arrival.

      If you site got buggy after enabling Cloudflare most of the time is because you "optimized" the JS with a (forever beta) feature called Rocketsomething and checked JS for tidy. Or you for
      • feature called Rocketsomething

        Yes, I do recall that feature, but I think that this wasn't the reason for my problems. Apparently, they didn't emulate my original conditions perfectly in their copy. But as said, this was a short test over 1 year ago of a free version, so it might have been anything.

        While I agree that CF is in a position to be even more scary that Google

        No doubt on that. They are plainly getting full copies of all your web-files and storing them in servers you cannot reach. This is plainly a fear-based business where you have to almost blindly trust your defenders. It is way much more invasiv

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...