Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Encryption Cloud Communications Network Networking Privacy Programming Security The Internet

Cloudflare Leaks Sensitive User Data Across the Web (theregister.co.uk) 87

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica
This discussion has been archived. No new comments can be posted.

Cloudflare Leaks Sensitive User Data Across the Web

Comments Filter:
  • by Anonymous Coward

    If this unremarkable bug in a proprietary cloud platform didn't have a cutesy name, it wouldn't be reported in the news. It would have just been fucking fixed, because fixing it is the important part, not running bullshit news about it.

    • by Anonymous Coward on Friday February 24, 2017 @07:31AM (#53922995)

      Um.. Considering the size and scope of Cloudflare, this pretty massive news.

      And Cloudflare fixed it within 7 hours of learning about it. And the first thing Google did when discovering the bug was immediately reach out to Cloudflare. They went so far as to turning to Twitter to find the fastest possible route of alerting someone at Cloudflare.

      But please continue to keep swearing about nothing.

      • by SumDog ( 466607 ) on Friday February 24, 2017 @12:06PM (#53924017) Homepage Journal

        I'm really surprised at the comments here. This is probably one of the largest information leaks/vulnerabilities of the past several years, and definitely the largest tech story of 2017. This is way larger than Google breaking SHA-1 (in a non-trivial way).

        The HackerNews story has hundreds of comments explaining just how bad the situation is.

        • by Anonymous Coward

          It's because everyone technical has already left slashdot, and this is just a shadow of the former glory, full of racism and misogyny.

          Its like a tech mos eisley honestly. I've about had my limit myself.

        • Part of what I do for a living, and have done for many years, is evaluate these kinds of vulnerabilities. This could have been really, really bad, a major story. Certainly it would be a big deal if all of the following were true:

          If the issue existed for a long time.
          If the bad guys knew about it before it was fixed.
          If it affected sites that had something vaguely resembling valid html.
          If it could have leaked tls/ssl keys.

          In the security field, we have a mostly objective scoring system called CVSS which gives

      • by Anonymous Coward

        And in their blog, they provided a highly detailed explanation of the bug, how it worked, and how they fixed it. You just don't see that kind of customer engagement and detail in most tech companies.

    • by Anonymous Coward

      Cloudflare = Crimeflare

      And who knows how long this bug has been present. Hell it may have even been intentional so the FBI, NSA, CIA, and various other spy agencies could eavesdrop.

      • by Anonymous Coward

        Cloudflare = Crimeflare

        A list of impacted sites begs to differ. [github.com]

      • Re: (Score:3, Interesting)

        Yep, CloudFlare is spraying supposedly TLS-encrypted data all over the internet in clear text?! What the fuck!? I almost want to laugh at CloudFlare's misfortune, except every internet user including me is probably affected by this. What the hell is the point of HTTPS at all, when so much HTTPS traffic is being purposely MITM'd for profit by CloudFlare? A very large part of the web is living under their leaky roof, meantime many in the professional networking community encourage this and help implement it.
  • Lovely (Score:2, Insightful)

    unnamed services for hotel booking and password management.

    And THAT is why I don't use online password management sites, bloody stupid idea anyway, talk about putting all your eggs into one basket.

    • Re:Lovely (Score:4, Interesting)

      by fuzzyf ( 1129635 ) on Friday February 24, 2017 @06:07AM (#53922835)
      As long as passwords are encrypted and decrypted on the client it's not really that much of a risk.

      I think the benefit of having different complex passwords for every web/system with easy access from all devices is worth it. At least I havent managed to set up a better system for myself... yet.

      MFA and a strong master password is pretty good for protecting your passwords.
    • Re:Lovely (Score:5, Interesting)

      by Troed ( 102527 ) on Friday February 24, 2017 @06:19AM (#53922853) Homepage Journal

      It's fine that you don't, but those of us who are aren't really worried. Client side encryption means not trusting the transport layer - even https.

      No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.

      https://blog.agilebits.com/201... [agilebits.com]

      (I use LastPass myself)

      The security I get from having unique 14+ char completely random passwords for _every_ site by far outweighs the slight possibility that access to both my encrypted binary as well as my master password slips out. The by far easiest attack vector for that would be hacking my systems, and if that happens any system I log on to can be snooped then and there as well.

      • >unique 14+ char completely random passwords

        loln00b. ;)

        I use 64-character passwords generated using openssl SHA-1 being fed with /dev/random.

        I'm not even kidding. After the FIFTH GODDAMN WEBSITE LEAKED MY PASSWORDS IN ONE YEAR, I became outright furious. I'm still waiting for Congress to stop sucking corporate dicks and pass a law making it explicitly illegal to lose a MILLION user accounts, let alone a fuckin' BILLION like Yahoo did.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Problem with 64-character passwords is that a lot of websites/services truncate passwords above a certain length, often without telling the user *cough* PayPal.

          • No, the worst part is when they perform the truncation on the web end and your 64 character password gets cut down before being processed, then at a later date they change the limit and your 64 character password gets cut down to a different length before being processed, thus preventing you from logging in. This can also happen if they decide to disallow certain characters and don't bother considering that user's may have them in their passwords already. It can also happen if they silently strip out cert

  • Comment removed based on user account deletion
    • by larkost ( 79011 )

      The main advantages are that a) they can take a lot more load that the majority of sites can by both doing pretty good caching and having a lot of geographic redundancy (and the DNS services to handle that), and b) have an operations team that can better respond to DOS attacks than most of their customers are large enough to have (plus network-geographicly distributed resources to hopefully mitigate the attack).

      They are probably not going to be faster for small-traffic websites, and they are adding a layer

    • I use Cloudflare for a variety of sites mostly for DDOS protection. And it seems to work pretty well for that.

      They claim to do a lot of caching of static content but since most of my sites are dynamic (they have to be) I've never seen much benefit from that end of it.

      • Comment removed based on user account deletion
        • I can say that I've been happy with them, and they do provide some decent/interesting metrics on site traffic.

          They also have some interesting features like SSL without a cert for your site, HTTPS rewriting, DNS fiddling, some firewall stuff and page rules (which I don't use but they look like they could be very useful).

          They do seem to screen out a lot of malicious traffic, if their stats can be believed (and I've no reason not to think they're real). The site is very straightforward to use and easy to figu

          • Comment removed based on user account deletion
            • This is the bit which kind of puzzles me. During my quick test, I recall to have seen many threats being blocked. On the other hand, before using it or after disabling it, my site continued running fine (although motivatedly slow). So, the only improvement which I saw on the security front was getting a list of stopped threats, about which I wasn't aware and which didn't seem to have a relevant impact on my site.

              I think that 99.9999% of attacks don't succeed which is why we never notice them. Sometimes even when they do succeed we may not notice that the site's been compromised. It depends what the end goal is. Maybe they just want file storage space, maybe they use the site as a low-level attack platform, or use it as part of a botnet, or to run more scripts, etc.

              I look through my server logs on some of my unprotected sites and I see a never-ending stream of GET-style attacks and queries and attempted SSH logins

              • Comment removed based on user account deletion
                • (e.g., expecting to find WordPress files in a specific location when WordPress isn't even installed on that server)

                  Yep, these are the mindless bots, just hitting every domain that they can, checking for a Wordpress installation. If they find one then they kick into a more dedicated exploit mode or they note the URL and another bot comes along later to do a comprehensive search for vulnerable WP plugins.

                  If you use Wordpress, I highly recommend the "Wordfence" plugin- it stops a LOT of stuff and is highly configurable. I consider it a must-have plugin for any WP site.

                  -

                  Thanks again for your feedback and helping me understand better what CloudFlare provides exactly

                  You're welcome.

    • Also don't forget about Universal SSL, which I think is related to the problems here (?). Having a central point to manage name zones is another unintended feature, you can swap domains from hosts with minimal DNS downtime. The firewall features are nice, you can block single IPs and challenge whole countries on arrival.

      If you site got buggy after enabling Cloudflare most of the time is because you "optimized" the JS with a (forever beta) feature called Rocketsomething and checked JS for tidy. Or you for

Dennis Ritchie is twice as bright as Steve Jobs, and only half wrong. -- Jim Gettys

Working...