CloudFlare Memory Leak -- Zero Hour Security

    • CloudFlare Memory Leak -- Zero Hour Security

      There are currently 4,287,625 potentially affected domains.


      I cannot stress this enough: change ALL of your passwords. Every single one. Due to the nature of this vulnerability, even sites that were not directly CloudFlare customers may have been affected.

      timeline wrote:


      All times are UTC.


      2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information
      2017-02-18 0032 Cloudflare receives details of bug from Google
      2017-02-18 0040 Cross functional team assembles in San Francisco
      2017-02-18 0119 Email Obfuscation disabled worldwide
      2017-02-18 0122 London team joins
      2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide
      2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide


      2017-02-20 2159 SAFE_CHAR fix deployed globally


      2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide


      Last Friday (2017-02-18), a bug was discovered by Google's Tavis Ormandy regarding Cloudflare's SSL rewrite service. This is the service that adds an SSL certificate to otherwise unencrypted sites.


      The bug, as described on the linked pages below, caused a memory leak which enabled user information (including usernames, passwords, and other information) to be cached by your browser and search engines in an insecure manner. This memory leak also allowed bots to scrape information from pages.


      The projected impact includes every Cloudflare site on the planet, including those who called APIs on the affected sites.


      The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day


      I do not fully understand the scope of the issue as of yet, but it is fully understood that if you used any site that was protected by Cloudflare's HTTPS rewrite service, email obfuscation service, or Server-Side Excludes service at any time between this year, then it is strongly recommended that you do the following:


      Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), so to be safe you should probably change all your important passwords.


      List of top affected sites (by most common use) wrote:


      • authy.com
      • coinbase.com
      • betterment.com
      • transferwise.com
      • prosper.com
      • digitalocean.com
      • patreon.com
      • bitpay.com
      • news.ycombinator.com
      • producthunt.com
      • medium.com
      • 4chan.org
      • yelp.com
      • okcupid.com
      • zendesk.com
      • uber.com
      • namecheap.com
      • poloniex.com
      • localbitcoins.com
      • kraken.com
      • 23andme.com
      • curse.com (and some other Curse sites like minecraftforum.net)
      • counsyl.com
      • stackoverflow.com (confirmed not affected by StackOverflow's @alienth)
      • fastmail.com (not affected, #2)
      • 1password.com (not affected)



      List of all sites available here: github.com/pirate/sites-using-cloudflare
      Report by Cloudflare: blog.cloudflare.com/incident-r…by-cloudflare-parser-bug/
      Bug report on Google: bugs.chromium.org/p/project-zero/issues/detail?id=1139