MoFo Posted February 24, 2017 Share Posted February 24, 2017 DNS service Cloudflare has suffered a memory leak that has exposed user data for thousands (possibly millions) of websites. This page has a list of the most notable (potentially) affected domains, and a zip with all possibly affected domains. If you use any of the listed sites, it would be a very good idea to change your passwords for them. If you use the same password on any other site, it would be a very good idea to change *those* too. (it's a terrible idea to share passwords anyway) Quote Impact Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months. Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was trigerred the response would include data from ANY other cloudfare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using CloudFare's proxy services (including HTTP & HTTPS proxy). "The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22scheme%22%3A%22http%22%7D+CF-Host-Origin-IP&t=h_&ia=web Confirmed affected domains found in the wild: http://doma.io/2017/02/24/list-of-affected-cloudbleed-domains.html What should I do? Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all cloudflare proxy customers were vulnerable to having data leaked, it's better to be safe than sorry. Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), you should probably change all your important passwords. Change your passwords. Quote Link to post Share on other sites
Slartibartfast Posted February 24, 2017 Share Posted February 24, 2017 Ouch. Many of the sites are behind-the-scenes sites but there are some big ones. 4 chan, some android support sites and a couple of fitbit support sites. Quite a few torrent sites made the list, too. Quote Link to post Share on other sites
Ryan Hothersall Posted February 25, 2017 Share Posted February 25, 2017 Haven't heard of most of those sites. Hope ARC, Britmodeller etc aren't on the list. Quote Link to post Share on other sites
MoFo Posted February 25, 2017 Author Share Posted February 25, 2017 From the full list of possibly affected domains, it looks like both ARC and Britmodeller may have exposure through Invision Power Services (the software that runs the boards), depending on how their traffic is handled. It's not just the explicit domains that are the problem, but the background services that run them. Network54 is also on the list, which would include the Hyperscale Forums. Eduard.com also seems to be on the list. And it looks like a number of blogs may be included, via Wordpress and Blogspot. You also appear to have exposure through your own website, via crazydomains.com. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.