First  Prev  1  2  Next  Last
Post Reply So Cloudflare just spilled usernames and passwords for its customers (like Crunchyroll)
76509 cr points
Send Message: Send PM GB Post
49
Offline
Posted 2/23/17 , edited 2/24/17
Hey guys,

Just so you know, Cloudflare just released details on a bug which may have released your usernames and passwords onto the internet. I'd change mine if I were you.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Be safe out there.

#cloudbleed is bad
1793 cr points
Send Message: Send PM GB Post
31 / M / Azeroth
Offline
Posted 2/23/17 , edited 2/23/17

http://www.animenewsnetwork.com/news/2017-02-22/report-2.5-million-funimation-accounts-compromised-in-data-breach/.112538
The "Have I been pwned?" and Vigilante websites, which check for database breaches, both list a data breach as having occurred on Funimation's website last July. "Have I been pwned?" reported that 2,491,103 accounts may have been compromised, while Vigilante puts the number at 2,513,525 accounts.

The compromised information purportedly includes usernames, dates of birth, email addresses, and passwords.

As of press time Funimation has not responded to ANN's request for comment on the supposed data breach.




We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.


My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.


https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers.



HAAAAAHAHAAH
HAHAHAHAHAHAHAH
AHAHAAAAAAAAAA!!!!


VENGEANCE IS MINE!!!!!








30000 cr points
Send Message: Send PM GB Post
84 / F / Bite the pillow.
Offline
Posted 2/23/17 , edited 2/23/17

Felidominus wrote:

Hey guys,

They fixed it:

- Cloudflare fixes bug that leaked user data, says info now cleared from search engine caches
- https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/

"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."
1793 cr points
Send Message: Send PM GB Post
31 / M / Azeroth
Offline
Posted 2/23/17 , edited 2/24/17

Hairbelly wrote:

They fixed it:


That isn't the issue; of course it is "fixed", as it has become public disclosure. The problem is, where did data go in several months of exposure? Yes, Google/search engines may have "deleted sensitive data", but that says nothing in regards to NSA/Russia/China/Whatever, who may have passive hack via cached data. Or, if someone figured it out beforehand.

Only time shall tell...
31408 cr points
Send Message: Send PM GB Post
27 / M / New York
Offline
Posted 2/23/17 , edited 2/24/17
gsm642 
1886 cr points
Send Message: Send PM GB Post
38 / M / Shanghai China
Offline
Posted 2/23/17 , edited 2/24/17
maybe we should start to sue companies so that they are forced to adopt the cost vs risk plan there is a formula that companies are supposed to be using when it comes to security and how much they should be spending on it that most are not for some reason.
1793 cr points
Send Message: Send PM GB Post
31 / M / Azeroth
Offline
Posted 2/23/17 , edited 2/24/17



-Famous Last Words


EDIT: BTW, "1Password" refers to a unified password manager software, and not "Twitter-Speak" referencing all password info. This is implied because passes are encrypted in the packet; but doesn't mean they are unbreakable.
28496 cr points
Send Message: Send PM GB Post
28 / M
Offline
Posted 2/23/17 , edited 2/24/17
Oh well...
1033 cr points
Send Message: Send PM GB Post
Offline
Posted 2/23/17 , edited 2/24/17
Oh no the heavens are dividing
33 cr points
Send Message: Send PM GB Post
18 / F / Seattle, Washington
Offline
Posted 2/23/17 , edited 2/24/17
Thanks for posting this. I was starting to wonder when someone would.

I'm a rather soft-spoken person so I avoided posting this myself.
39169 cr points
Send Message: Send PM GB Post
M
Offline
Posted 2/23/17 , edited 2/24/17
What uses cloudfare? How do I know what sites are affected?
Kintor 
22912 cr points
Send Message: Send PM GB Post
M
Offline
Posted 2/23/17 , edited 2/24/17
Here's a list of the major affected sites, including Crunchyroll:

https://github.com/pirate/sites-using-cloudflare

This is a big deal, just about anyone who uses the internet could've had one (or more) of their passwords stolen.
1793 cr points
Send Message: Send PM GB Post
31 / M / Azeroth
Offline
Posted 2/23/17 , edited 2/24/17
Forget passwords, "forum data" could have been taken. As was used by example of people who discovered it; "private messages sent via dating sites".


We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.


You'd better not of "had sexual relationships with that women"...

But no matter...
39169 cr points
Send Message: Send PM GB Post
M
Offline
Posted 2/23/17 , edited 2/24/17

Kintor wrote:

Here's a list of the major affected sites, including Crunchyroll:

https://github.com/pirate/sites-using-cloudflare

This is a big deal, just about anyone who uses the internet could've had one (or more) of their passwords stolen.


Thanks for the link.

Anime News Network is on that list, too.
Kintor 
22912 cr points
Send Message: Send PM GB Post
M
Offline
Posted 2/23/17 , edited 2/24/17

DeadlyOats wrote:

Thanks for the link.

Anime News Network is on that list, too.

No problem, happy to pass on the link.

Also, let me know if you see this guy anywhere as you browse the web:



A hack of this scale could only be the work of Diaboromon.
First  Prev  1  2  Next  Last
You must be logged in to post.