Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare Leaks Sensitive User Data Across the Web (theregister.co.uk)

Posted by BeauHD on from the time-to-clean-up dept.

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica

5 of 87 comments (clear)

  1. Re:Lovely by fuzzyf · · Score: 3, Interesting

    As long as passwords are encrypted and decrypted on the client it's not really that much of a risk.

    I think the benefit of having different complex passwords for every web/system with easy access from all devices is worth it. At least I havent managed to set up a better system for myself... yet.

    MFA and a strong master password is pretty good for protecting your passwords.

  2. Re:Lovely by Troed · · Score: 4, Interesting

    It's fine that you don't, but those of us who are aren't really worried. Client side encryption means not trusting the transport layer - even https.

    No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.

    https://blog.agilebits.com/201...

    (I use LastPass myself)

    The security I get from having unique 14+ char completely random passwords for _every_ site by far outweighs the slight possibility that access to both my encrypted binary as well as my master password slips out. The by far easiest attack vector for that would be hacking my systems, and if that happens any system I log on to can be snooped then and there as well.

    --
    it's in my head
  3. Re:obligatory cutesy name by Anonymous Coward · · Score: 5, Insightful

    Um.. Considering the size and scope of Cloudflare, this pretty massive news.

    And Cloudflare fixed it within 7 hours of learning about it. And the first thing Google did when discovering the bug was immediately reach out to Cloudflare. They went so far as to turning to Twitter to find the fastest possible route of alerting someone at Cloudflare.

    But please continue to keep swearing about nothing.

  4. Re:obligatory cutesy name by SumDog · · Score: 3, Insightful

    I'm really surprised at the comments here. This is probably one of the largest information leaks/vulnerabilities of the past several years, and definitely the largest tech story of 2017. This is way larger than Google breaking SHA-1 (in a non-trivial way).

    The HackerNews story has hundreds of comments explaining just how bad the situation is.

  5. Re:obligatory cutesy name by DonaId+Trump · · Score: 3, Interesting

    Yep, CloudFlare is spraying supposedly TLS-encrypted data all over the internet in clear text?! What the fuck!? I almost want to laugh at CloudFlare's misfortune, except every internet user including me is probably affected by this. What the hell is the point of HTTPS at all, when so much HTTPS traffic is being purposely MITM'd for profit by CloudFlare? A very large part of the web is living under their leaky roof, meantime many in the professional networking community encourage this and help implement it. Again I ask what the fuck!? The whole company smells more like a CIA operation as time goes on.

    CLOUDFLARE IS UNDERMINING THE INTERNET, not to mention proudly serving ISIS terrorist websites, malware distributors, and DDoSers/Booters. They should be null routed and de-peered!