2/24/17 Security Announcement

hobbes · February 24, 2017, 7:35pm

All,

A leak with CloudFlare, the DNS provider for our forum provider, ZetaBoards, came out a few days ago and it’s important we make you all aware of it. Potentially hundreds of sites are affected, but the two services we use that are affected are our Forums (Zetaboards), and Discord. Skype is not affected as far as I know.

Here’s a complete letter on the impact:

Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn’t use those features. So the potential impact is every single one of the sites using Cloudflare’s proxy services (including HTTP & HTTPS proxy).

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (thats about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day” – source

You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22scheme%22%3A%22http%22%7D+CF-Host-Origin-IP&t=h_&ia=web

Confirmed affected domains found in the wild: http://doma.io/2017/02/24/list-of-affected-cloudbleed-domains.html

More info at - https://github.com/pirate/sites-using-cloudflare

What does this mean for me?

In all likelyhood, nothing… Less than one hundreth of one percent of all requests were leaked in the last month. Whether or not you wish to change your passwords is entirely up to you, we are simply giving you the information that has been given to us. But it is important to stress how few accounts were affected.

Cloudflare reaffirms no passwords were actually leaked but I am leaving this notice up so you’re aware.

Any questions can be asked here and we’ll get to them ASAP.

QuietDad · February 24, 2017, 7:48pm

Dear Cloudflare Customer:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare’s systems. If you haven’t yet, I encourage you to read that post on the bug:

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers’ sensitive information could still be available through third party caches, such as the Google search cache.

Over the last week, we’ve worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare’s customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please dont hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO

Our mailing address is:

Cloudflare

101 Townsend Street
San Francisco, CA 94107
Add us to your address book

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list