Slashdot Mirror
Cloudflare Leaks Sensitive User Data Across the Web (theregister.co.uk)
ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica
Ironically calloc would solve a lot of problems if only idiots would stop whining about how malloc is allegedly faster. It's ironic because Calloc begins with C.
And THAT is why I don't use online password management sites, bloody stupid idea anyway, talk about putting all your eggs into one basket.
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
Um.. Considering the size and scope of Cloudflare, this pretty massive news.
And Cloudflare fixed it within 7 hours of learning about it. And the first thing Google did when discovering the bug was immediately reach out to Cloudflare. They went so far as to turning to Twitter to find the fastest possible route of alerting someone at Cloudflare.
But please continue to keep swearing about nothing.
I'm really surprised at the comments here. This is probably one of the largest information leaks/vulnerabilities of the past several years, and definitely the largest tech story of 2017. This is way larger than Google breaking SHA-1 (in a non-trivial way).
The HackerNews story has hundreds of comments explaining just how bad the situation is.