Jump to content

Our website is made possible by displaying online advertisements to our visitors.
Please consider supporting us by disabling your ad blocker.
  • Announcements

    • Dowin

      =ADK= Discord Link   04/24/2017

      Come join us in =ADK= Discord To download the Discord app go here: https://discordapp.com/   Discord is going to have a small learning curve over teamspeak so be prepared, but the fellow members as well as the Admins will gladly help you if you have any issues with installing or using the app. Once you have Discord installed all that's left to do is click the button below.   Welcome to the future of the =ADK= Community.   Click Here To Join! 
AOBLXIX

Feburary 2017 - Cloudflare Vulnerability - Important Read

Recommended Posts

cloudbleed.jpg

It was reported earlier today by Cloudflare that there's been a vulnerability that was discovered last Friday that possibly leaked sensitive data from websites like your passwords for example. As Cloudflare is one of the largest companies in the world to provide a wide range of services to millions of website there's a good chance that some of the websites that you use on a day to day basis were effected. The =ADK= Website and our servers do not use the Cloudflare Service, but as we do use Discord we wanted to make sure all of you were aware of this situation. 

The CTO From Discord said this: 

Quote

Cloudflare disclosed today that they have fixed a bug reported by Google’s Project Zero that was very rarely exposing sensitive information in random requests (0.00003% of all requests) since September 2016. There was no way to target specific information and the exposed information was random.

For those that are unaware Cloudflare is an internet proxy that protects website from malicious attacks such as DDoS. Discord and many other websites were affected by this vulnerability. You can find a full list of websites that are using Cloudflare here.

The likelihood that your information was leaked on any of these sites is very low, but we highly recommend changing your password on Discord and any other sites you use that also use Cloudflare. If you develop against the API on any of the sites, it is also recommended to reset your API key.

At the current time we do not believe performing a forced password reset on all of Discord is necessary given the incredibly low likelihood of impact, but we are continuing to evaluate as we wait for Cloudflare to provide us directly with the full level of impact.

So as you see, while they don't believe that anyone was impacted they do still recommend you reset your password, and that goes for all of your other services as well. 

 

Here's some information from Cloudflare:

 

Quote

 

Internal impact of the bug

Cloudflare runs multiple separate processes on the edge machines and these provide process and memory isolation. The memory being leaked was from a process based on NGINX that does HTTP handling. It has a separate heap from processes doing SSL, image re-compression, and caching, which meant that we were quickly able to determine that SSL private keys belonging to our customers could not have been leaked.

However, the memory space being leaked did still contain sensitive information. One obvious piece of information that had leaked was a private key used to secure connections between Cloudflare machines.

When processing HTTP requests for customers’ web sites our edge machines talk to each other within a rack, within a data center, and between data centers for logging, caching, and to retrieve web pages from origin web servers.

In response to heightened concerns about surveillance activities against Internet companies, we decided in 2013 to encrypt all connections between Cloudflare machines to prevent such an attack even if the machines were sitting in the same rack.

The private key leaked was the one used for this machine to machine encryption. There were also a small number of secrets used internally at Cloudflare for authentication present.

 

External impact and cache clearing

More concerning was that fact that chunks of in-flight HTTP requests for Cloudflare customers were present in the dumped memory. That meant that information that should have been private could be disclosed.

This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens).

Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.

An additional problem was that Google (and other search engines) had cached some of the leaked memory through their normal crawling and caching processes. We wanted to ensure that this memory was scrubbed from search engine caches before the public disclosure of the problem so that third-parties would not be able to go hunting for sensitive information.

Our natural inclination was to get news of the bug out as quickly as possible, but we felt we had a duty of care to ensure that search engine caches were scrubbed before a public announcement.

The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged. With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines.
We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.

 

 

 

 

tl;dr - the memory leak allowed content, previously HTTPS or HTTP, to be viewed and was cached by a lot of search engines which in turn is one of the main reasons why this is so important and something that you should be taking seriously. 

 

We hope you'll spread this information to all of your friends and family to make sure that they are aware of this situation and look to securely protect their information. 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This website uses cookies to provide the best experience possible. Privacy Policy & Terms of Use