Computer users urged to change passwords after massive data leak

Posted February 25, 2017

There's a very, very small chance that any sensitive information, including passwords, you've given to websites that use Cloudflare - and many do - may have been released to the Internet as a result.

Cloudflare has published a post-mortem on the bug, which may have been active since mid-2016. Another major concern was that CloudFlare typically hosts content from different sites on the same server, so a request to one vulnerable website could reveal information about a separate, unrelated CloudFlare site. Given how many websites use Cloudflare, that's a big "Oops".

Still, it's an extremely important company for the infrastructure of the internet. They noticed unusual data that was coming up from websites using Cloudflare. Also, anyone with website admin credentials should change them immediately. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.

The security hole came in Cloudflare's HTML parser, which instead of just parsing HTML also injected extra code.

While it appears nobody has exploited the data, one of the largest difficulties for Cloudflare has been cleaning up the mess that was created. Under these circumstances "Cloudbleed" seem to be the flawless name for this situation.

Cloudflare provides a timeline on its blog, where it confirms that the minor features were re-enabled worldwide. The company then soon took the step of working with search engines to clear the data that have been cached. That's how Google got involved.

Geneva Intra-Syrian Talks Finally Enable Political Settlement - German FM
Asked if it had been discussed whether Assad would remain in power, Yelchenko said that was a subject for the Geneva talks. He said a shaky ceasefire brokered by Russia, Turkey and Iran had opened a window of opportunity.

Lyft rolls out to 54 more U.S. cities in Uber blitz
Lyft, founded in 2012, is available in almost 300 cities and has launched in 90 new cities since the start of 2017. To celebrate, new passengers can use the code LYFTLOVE17 to receive $5 off their first ride.

Korean leader Kim assassinated in Malaysia: Yonhap
The Indonesian woman has told investigators that she was duped into thinking she was part of a comedy show prank. Police have already arrested four people in connection with the attack, including the two women.

CDN and security provider Cloudflare has been leaking data from its TLS connections, Google researcher Tavis Ormandy has discovered - and despite his best efforts the flaw is now known as Cloudbleed. The content delivery network has acknowledged the issue and said it has fixed the underlying problem. These are not things that should be publicly accessible, even through complicated technical maneuvering. That memory might have contained sensitive data, like passwords or private communications.

Among what Google observed was what Prince referred to as Cloudflare's "NSA key". "Other data might exist in other caches and services throughout the Internet". "We always internally called it the "NSA key" because if the NSA was sitting on a piece of fiber connecting two of our data centers", Prince said, "this was the key that kept that data from being listened in on".

After reading the post on CloudFlare's website, Ormandy commented that "It contains an excellent postmortem, but severely downplays the risk to customers".

According to Cloudflare's blog post, the real threat to users came as a result of some of that information being captured by search engines. All of this data is usually encrypted, and if someone were poking around, they could have gotten a lot of user information. "Cloudflare customers are going to need to decide if they need to rotate secrets and notify their users based on the facts we know". Still, Prince readily admitted that "it could have been extremely bad".

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

As you can see, the list is absolutely massive. Because Cloudflare serves billions of pages each day, the number of leaky pages added up to about 120,000 a day, the company said.