Total Pageviews

Monday, 12 June 2017


  • CloudFlare反向代理软件中的内存相关漏洞导致数据混乱。
  • 敏感数据(密码,加密密钥,PII等)最终在Google的刮痕中,可能是其他人的。
  • 假设您的所有密码和PII都被盗用 ; 有没有可靠的方法来告诉什么网站使用CloudFlare什么时候,或者他们是否受到影响。
“我没有意识到互联网有多少坐在Cloudflare CDN后面直到这个事件。
In summary:
  • Memory-related vulnerability in CloudFlare’s reverse proxy software caused data to get mixed up.
  • Sensitive data (passwords, cryptographic keys, PII, and so on) ended up in Google’s scrapes, and likely those of everybody else.
  • Assume all of your passwords and PII to be compromised; there’s no reliable way to tell what sites were using CloudFlare when, or whether they were affected.
Change your passwords everywhere immediately, and keep an eye on your finances. Don’t wait for notifications from vendors.
Some quotes from the disclosure thread:
“I didn’t realize how much of the internet was sitting behind a Cloudflare CDN until this incident.”
“Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt. Needless to say, this did not convey to me that they take the program seriously.”
“Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers. They’ve left it too late to negotiate on the content of the notification.”
“The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup.”
“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users”
This is probably a good moment to refer back to the article I wrote last year, about how CloudFlare is actively putting the web at risk.
Seriously, stop using CloudFlare already. The only surprising thing about this incident is that it was accidental disclosure, instead of an active breach. This is playing with fire.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.