Cloudflare Leaks Sensitive User Data Across the Web (theregister.co.uk) 87
ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica
obligatory cutesy name (Score:1)
If this unremarkable bug in a proprietary cloud platform didn't have a cutesy name, it wouldn't be reported in the news. It would have just been fucking fixed, because fixing it is the important part, not running bullshit news about it.
Re:obligatory cutesy name (Score:5, Insightful)
Um.. Considering the size and scope of Cloudflare, this pretty massive news.
And Cloudflare fixed it within 7 hours of learning about it. And the first thing Google did when discovering the bug was immediately reach out to Cloudflare. They went so far as to turning to Twitter to find the fastest possible route of alerting someone at Cloudflare.
But please continue to keep swearing about nothing.
Re:obligatory cutesy name (Score:4, Insightful)
I'm really surprised at the comments here. This is probably one of the largest information leaks/vulnerabilities of the past several years, and definitely the largest tech story of 2017. This is way larger than Google breaking SHA-1 (in a non-trivial way).
The HackerNews story has hundreds of comments explaining just how bad the situation is.
Re: (Score:1)
It's because everyone technical has already left slashdot, and this is just a shadow of the former glory, full of racism and misogyny.
Its like a tech mos eisley honestly. I've about had my limit myself.
Re: (Score:1)
As a career security professional, I'm not too wor (Score:3)
Part of what I do for a living, and have done for many years, is evaluate these kinds of vulnerabilities. This could have been really, really bad, a major story. Certainly it would be a big deal if all of the following were true:
If the issue existed for a long time.
If the bad guys knew about it before it was fixed.
If it affected sites that had something vaguely resembling valid html.
If it could have leaked tls/ssl keys.
In the security field, we have a mostly objective scoring system called CVSS which gives
Re: (Score:1)
And in their blog, they provided a highly detailed explanation of the bug, how it worked, and how they fixed it. You just don't see that kind of customer engagement and detail in most tech companies.
Re: (Score:1)
Cloudflare = Crimeflare
And who knows how long this bug has been present. Hell it may have even been intentional so the FBI, NSA, CIA, and various other spy agencies could eavesdrop.
Re: (Score:1)
Cloudflare = Crimeflare
A list of impacted sites begs to differ. [github.com]
Re: (Score:3, Interesting)
Re: (Score:1)
Re: (Score:2, Insightful)
Ironically calloc would solve a lot of problems if only idiots would stop whining about how malloc is allegedly faster. It's ironic because Calloc begins with C.
Re: (Score:1)
If you're a gambler, you could use malloc everywhere and initialize nothing and accept the fuckups that happen with uninitialized memory, or you can be a responsible coder and use memset everywhere, but wait, since "responsible" and "coder" are contradictory, why use malloc and memset when you can use calloc which explicitly allocates from zero filled memory, so you can maintain your reputation as a badass rockstar who doesn't give a shit about initializing anything, ever!
Calloc! The drop in replacement for
Re: (Score:2)
Calloc! The drop in replacement for malloc that makes your code safer while also making it look like no fucks were given!
What a pile of shit.
Leave C to the adults, mkay?
Re: (Score:1)
Are you denying that calloc can be used everywhere malloc can be used?
On the C Abstract Machine, it can. In the real world (and especially in needlessly linux-specific code), calloc can be^Wappear so much faster. If you allocate a buffer and rely on access being fast right away, calloc might come around and bite you in the ass because of the COW semantics that linux' calloc seems to have.
So using calloc instead of malloc could in theory break some pseudo realtime things.
That said, the inverse is not true, i.e. you cannot necessarily replace your every calloc with a malloc+m
Re: (Score:2)
If you're a gambler, you could use malloc everywhere and initialize nothing and accept the fuckups that happen with uninitialized memory, or you can be a responsible coder and use memset everywhere, but wait, since "responsible" and "coder" are contradictory, why use malloc and memset when you can use calloc which explicitly allocates from zero filled memory, so you can maintain your reputation as a badass rockstar who doesn't give a shit about initializing anything, ever!
Calloc! The drop in replacement for malloc that makes your code safer while also making it look like no fucks were given!
Sometimes, initializing memory -- just for the sake of initialization -- creates or hides errors. This includes, but is not limited to, allocated memory. For example, Valgrind will not be able to detect reads of uninitialized data if all data always is set to 0. Valgrind is an extremely powerful tool which can track down really obscure bugs, so it's wise to play ball with Valgrind.
Another example may be to initialize a local variable to some default value, blocking the compiler from emitting a proper warni
Re: (Score:2, Informative)
Would not have helped. The problem with C is that pointers carry no information about the area of memory they're supposed to be point within. C programmers use pointers like indices, but an index alone isn't enough to address memory: You need the array too, and at least conceptually that comes with a size (but of course pure C doesn't stop you from exceeding array bounds.) What happened here is that the program had lots of buffers in contiguous memory, and by exceeding the one it was supposed to work with,
Re: (Score:2)
Except they wrote it in Ragel, which generates C code or asm
So, in theory, any language used like that could have generated bad / vulnerable end-code.
Re: (Score:2)
and ASM
Would the ASM have been bug-free?
Would any other language, with ANY amount of safe-guards been physically incapable of producing an off-by-one in it's output code?
No.
This is quite literally "Ragel took a definition, and then compiled it to bad machine code". Whether that was via an intermediary language or not, that's possible with ANY compiler for ANY language. If Java had a bug in it that resulted in incorrect machine code being generated for the "safe" Java code it was asked to execute, the same
Re: (Score:2)
No. Read the article.
For the avoidance of doubt: the bug is not in Ragel itself. It is in Cloudflare's use of Ragel. This is our bug and not the fault of Ragel.
They then explain that the root of the bug was a mistake in their flow-control which triggered an inappropriate pointer-increment.
Re: (Score:1)
Would not have helped. It's a buffer overrun into other buffers that are in use, not uninitialized memory.
Lovely (Score:2, Insightful)
And THAT is why I don't use online password management sites, bloody stupid idea anyway, talk about putting all your eggs into one basket.
Re:Lovely (Score:4, Interesting)
I think the benefit of having different complex passwords for every web/system with easy access from all devices is worth it. At least I havent managed to set up a better system for myself... yet.
MFA and a strong master password is pretty good for protecting your passwords.
Re:Lovely (Score:5, Interesting)
It's fine that you don't, but those of us who are aren't really worried. Client side encryption means not trusting the transport layer - even https.
No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.
https://blog.agilebits.com/201... [agilebits.com]
(I use LastPass myself)
The security I get from having unique 14+ char completely random passwords for _every_ site by far outweighs the slight possibility that access to both my encrypted binary as well as my master password slips out. The by far easiest attack vector for that would be hacking my systems, and if that happens any system I log on to can be snooped then and there as well.
Re: (Score:2)
>unique 14+ char completely random passwords
loln00b. ;)
I use 64-character passwords generated using openssl SHA-1 being fed with /dev/random.
I'm not even kidding. After the FIFTH GODDAMN WEBSITE LEAKED MY PASSWORDS IN ONE YEAR, I became outright furious. I'm still waiting for Congress to stop sucking corporate dicks and pass a law making it explicitly illegal to lose a MILLION user accounts, let alone a fuckin' BILLION like Yahoo did.
Re: (Score:2, Informative)
Problem with 64-character passwords is that a lot of websites/services truncate passwords above a certain length, often without telling the user *cough* PayPal.
Re: (Score:3)
No, the worst part is when they perform the truncation on the web end and your 64 character password gets cut down before being processed, then at a later date they change the limit and your 64 character password gets cut down to a different length before being processed, thus preventing you from logging in. This can also happen if they decide to disallow certain characters and don't bother considering that user's may have them in their passwords already. It can also happen if they silently strip out cert
Re: (Score:2)
Do you believe anything in that link should have any LastPass customer worried?
We're not. The reason why is extensively covered both in that very article and by LastPass themselves.
Re: (Score:1)
Good luck with that, when you write buggy code in your higher level language and your higher level language compiles to C.
Re: (Score:1)
Re: (Score:2)
It's hilarious because cloudflare is a pretty strong advocate of Go
I can't believe they didn't use Rust or Malbolge or Visual Basic.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The main advantages are that a) they can take a lot more load that the majority of sites can by both doing pretty good caching and having a lot of geographic redundancy (and the DNS services to handle that), and b) have an operations team that can better respond to DOS attacks than most of their customers are large enough to have (plus network-geographicly distributed resources to hopefully mitigate the attack).
They are probably not going to be faster for small-traffic websites, and they are adding a layer
Re: (Score:2)
Re: (Score:2)
I use Cloudflare for a variety of sites mostly for DDOS protection. And it seems to work pretty well for that.
They claim to do a lot of caching of static content but since most of my sites are dynamic (they have to be) I've never seen much benefit from that end of it.
Re: (Score:2)
Re: (Score:2)
I can say that I've been happy with them, and they do provide some decent/interesting metrics on site traffic.
They also have some interesting features like SSL without a cert for your site, HTTPS rewriting, DNS fiddling, some firewall stuff and page rules (which I don't use but they look like they could be very useful).
They do seem to screen out a lot of malicious traffic, if their stats can be believed (and I've no reason not to think they're real). The site is very straightforward to use and easy to figu
Re: (Score:2)
Re: (Score:2)
This is the bit which kind of puzzles me. During my quick test, I recall to have seen many threats being blocked. On the other hand, before using it or after disabling it, my site continued running fine (although motivatedly slow). So, the only improvement which I saw on the security front was getting a list of stopped threats, about which I wasn't aware and which didn't seem to have a relevant impact on my site.
I think that 99.9999% of attacks don't succeed which is why we never notice them. Sometimes even when they do succeed we may not notice that the site's been compromised. It depends what the end goal is. Maybe they just want file storage space, maybe they use the site as a low-level attack platform, or use it as part of a botnet, or to run more scripts, etc.
I look through my server logs on some of my unprotected sites and I see a never-ending stream of GET-style attacks and queries and attempted SSH logins
Re: (Score:2)
Re: (Score:2)
(e.g., expecting to find WordPress files in a specific location when WordPress isn't even installed on that server)
Yep, these are the mindless bots, just hitting every domain that they can, checking for a Wordpress installation. If they find one then they kick into a more dedicated exploit mode or they note the URL and another bot comes along later to do a comprehensive search for vulnerable WP plugins.
If you use Wordpress, I highly recommend the "Wordfence" plugin- it stops a LOT of stuff and is highly configurable. I consider it a must-have plugin for any WP site.
-
Thanks again for your feedback and helping me understand better what CloudFlare provides exactly
You're welcome.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No, I don't. WordPress or anything else. As said, I created both my sites from scratch (= wrote each single character of their codes);
Same here for 99% of my sites. There are a couple of quickie Wordpress sites I've put up (one for my wife's business, stuff like that) but other than that I code it all by hand, no IDE, just CEdit and a lot of coffee. :)
Re: (Score:2)
Re: (Score:2)
Heh heh, I used Notepad++ for a long time.
Give Crimson Editor (CEdeit) a try, it's a lot like Notepad++ but it does a few extra things like bracket-matching, keyword highlighting some other handy stuff: http://www.crimsoneditor.com/ [crimsoneditor.com]
I use it in a very 'minimal view' mode, but I like it a lot.
Re: (Score:2)
Re: (Score:2)
If you site got buggy after enabling Cloudflare most of the time is because you "optimized" the JS with a (forever beta) feature called Rocketsomething and checked JS for tidy. Or you for
Re: (Score:2)