Cloudflare bug leaked encryption keys, passwords and more

Shawn Knight

Posts: 15,240   +192
Staff member

Google Project Zero researcher Tavis Ormandy recently reached out to content delivery network and Internet security services provider Cloudflare regarding a serious security issue he stumbled across in which corrupted web pages were being returned by some HTTP requests run through Cloudflare.

As explained by Cloudflare’s John Graham-Cumming, a minor coding error was causing their edge servers to run past the end of a buffer and return memory that contained private data including encryption keys, passwords, cookies, chunks of POST data and more.

As The Register explains, in layman’s terms, one can think of it as sitting down at a restaurant at a supposedly clean table. In addition to being handed a menu, you also receive the contents of the previous diner’s wallet or purse.

Ormandy notes that once they understood what they were seeing and realized the implications, they immediately reached out to Cloudflare’s security team which wasted little time in getting to work. Graham-Cumming said that because they’re a service, bugs can go from being reported to fixed in minutes to hours instead of months. In this instance, they were able to mitigate the issue in just 47 minutes and wrap up a global fix in under seven hours.

On Twitter, Ormandy said that the issue has been going on for months with affected clients including 1Password (passwords are not compromised in their case however), Uber, FitBit and OKCupid, among others.

Graham-Cumming said they have not found any evidence of malicious exploits or other reports of its existence. Nevertheless, it’s probably a good idea to go through and change all of your online passwords. Again.

A list of notable sites and services potentially affected by "Cloudbleed" follows below:

  • 4chan.org
  • authy.com
  • betterment.com
  • bitdefender.com
  • bitpay.com
  • change.org
  • codepen.io
  • coinbase.com
  • counsyl.com
  • curse.com (and other Curse sites like minecraftforum.net)
  • digitalocean.com
  • discordapp.com
  • feedly.com
  • fitbit.com
  • fiverr.com
  • getbootstrap.com
  • glassdoor.com
  • jquery.com
  • kraken.com
  • localbitcoins.com
  • medium.com
  • news.ycombinator.com
  • okcupid.com
  • pastebin.com
  • patreon.com
  • poloniex.com
  • producthunt.com
  • prosper.com
  • tfl.gov.uk
  • thepiratebay.org
  • transferwise.com
  • uber.com
  • yelp.com
  • zendesk.com
  • ziprecruiter.com
  • zoho.com

Lead photo courtesy Getty Images

Permalink to story.

 
Hey - Will here from Agilebits, makers of 1Password

We are aware of the reported data breach at Cloudflare and wanted to share some information about that.

1Password data was NOT exposed as a result of this breach. This means that users of 1Password do not need to change their Master Passwords.

1Password does not rely on HTTPS to ensure that customer’s 1Password data is not at risk. Our security recipe starts with AES-256 bit encryption and uses multiple layers to protect your data both at rest and in transit.

To read further about our approach to security and how we protect our 1Password data you can read our security whitepaper here:

https://1password.com/files/1Password for Teams White Paper.pdf

Our own Jeffrey Goldberg has also written up a blog post that you might enjoy:

https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/

If you’re looking for more detailed information, please let us know!
 
Hey - Will here from Agilebits, makers of 1Password

If you’re looking for more detailed information, please let us know!

You just joined today? Well welcome!

I'd find it hard to believe cloudflare keeps that kind of info to be honest with how it works but then again I could be wrong xD

I've used 1Password in the past but unfortunately I cant see myself moving from lastpass as of yet its just integrated perfectly with everything I use. Then again I haven't kept up with 1Passwords development as of late.
 
Cloudfare has become the bane of the WWW. Its actually stopped me from visiting a lot of sites thanks to its incomprehensible and buggy CAPCHAs. There's a HUGE opportunity for someone in the form of a better anti-DDOS service.
 
We've updated the story with a list of notable sites that are potentially affected, also adding the note about 1Password not being affected due to extra security layers that they apply to users' data.
 
Great reporting. One site has my private email server on it (like hillary had) and I guess I have to change those passwords. Microsoft and google email servers have gotten too secure that they are unusable. Murphys law deliberately effects those android apps, and I don't know how you'd, for example, have someone else design an app or website when it has to be redesigned every two months. This is as often as color tvs broke having tubes not transistors. You'd test the tubes at the drug store. Got $50 each time as the pro got $150 in the 60s. Now some want computer repair for free. You think some are test tube babies?
 
Last edited:
Hey - Will here from Agilebits, makers of 1Password

If you’re looking for more detailed information, please let us know!

You just joined today? Well welcome!

I'd find it hard to believe cloudflare keeps that kind of info to be honest with how it works but then again I could be wrong xD

I've used 1Password in the past but unfortunately I cant see myself moving from lastpass as of yet its just integrated perfectly with everything I use. Then again I haven't kept up with 1Passwords development as of late.

I'm using 1password and its a hit and miss with websites. Sometimes you must enter (copy/paste) the credentials manually from the vault to open a website. Tried changing the links in the vault and still most of the time it won't work. Sometimes I have to delete the entry and reenter again to make a new entry and most of the time its a hit and miss again. Editing in the vault involves a lot of clicking or should I say its complcated if its your mom is using it.. Just got dashlane from humble bundle and guess what, it works better. Roboform is also better. You will get to a point in life where its annoying and getting complicated you have to pull your hair and jump in your seat.

Too bad roboform stopped their stand aloneversion and moving to subscription based only.
 
You just joined today? Well welcome!

I'd find it hard to believe cloudflare keeps that kind of info to be honest with how it works but then again I could be wrong xD

I've used 1Password in the past but unfortunately I cant see myself moving from lastpass as of yet its just integrated perfectly with everything I use. Then again I haven't kept up with 1Passwords development as of late.

Thanks for replying - we have done a lot of work on 1Password recently, and now offer 1Password membership as well as standalone licenses - membership offers solutions for teams and families and gives better security, easier sharing between individuals and much more. Do check us out :)
 
Back