Pages

Monday, 12 June 2017

CloudFlare的严重安全问题

完整详细信息:http://bugs.chromium.org/p/project-zero/issues/detail?id=1139
翻译内容:
综上所述:
  • CloudFlare反向代理软件中的内存相关漏洞导致数据混乱。
  • 敏感数据(密码,加密密钥,PII等)最终在Google的刮痕中,可能是其他人的。
  • 假设您的所有密码和PII都被盗用 ; 有没有可靠的方法来告诉什么网站使用CloudFlare什么时候,或者他们是否受到影响。
立即更改您的密码,并密切关注您的财务状况。不要等待供应商的通知。
来自公开线程的一些引号:
“我没有意识到互联网有多少坐在Cloudflare CDN后面直到这个事件。
“Cloudflare指出了他们的错误赏金计划,但我注意到它有一个T恤的顶级奖励。不用说,这并没有告诉我,他们认真对待计划。
“Cloudflare最后给我发了一份草稿,它包含了一个很好的事后报告,但严重地降低了客户的风险,他们已经为了通知的内容而谈判太迟了。
“我们发现的例子太糟糕了,我取消了一些周末计划,在星期日进入办公室,帮助建立一些工具来清理。
“我们获取了几个实时样本,我们观察到加密密钥,Cookie,密码,POST数据块,甚至其他用户的其他主要cloudflare托管站点的HTTPS请求”
这可能是一个很好的时刻,参考我去年写的文章,关于CloudFlare如何积极地将网站的风险。
严重,停止使用CloudFlare已经。这次事件的唯一令人惊讶的事情是,这是偶然的披露,而不是主动违约。这是玩火。
原文内容:
In summary:
  • Memory-related vulnerability in CloudFlare’s reverse proxy software caused data to get mixed up.
  • Sensitive data (passwords, cryptographic keys, PII, and so on) ended up in Google’s scrapes, and likely those of everybody else.
  • Assume all of your passwords and PII to be compromised; there’s no reliable way to tell what sites were using CloudFlare when, or whether they were affected.
Change your passwords everywhere immediately, and keep an eye on your finances. Don’t wait for notifications from vendors.
Some quotes from the disclosure thread:
“I didn’t realize how much of the internet was sitting behind a Cloudflare CDN until this incident.”
“Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt. Needless to say, this did not convey to me that they take the program seriously.”
“Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers. They’ve left it too late to negotiate on the content of the notification.”
“The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup.”
“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users”
This is probably a good moment to refer back to the article I wrote last year, about how CloudFlare is actively putting the web at risk.
Seriously, stop using CloudFlare already. The only surprising thing about this incident is that it was accidental disclosure, instead of an active breach. This is playing with fire.
文章转自:
https://www.lowendtalk.com/discussion/106740/serious-security-issue-at-cloudflare-change-all-your-passwords-now

No comments:

Post a Comment