Cloudflare bug leaked encryption keys, passwords and more – TechSpot

Google Project Zero researcher Tavis Ormandy recently reached out to content delivery network and Internet security services provider Cloudflare regarding a serious security issue he stumbled across in which corrupted web pages were being returned by some HTTP requests run through Cloudflare.

As explained by Cloudflares John Graham-Cumming, a minor coding error was causing their edge servers to run past the end of a buffer and return memory that contained private data including encryption keys, passwords, cookies, chunks of POST data and more.

As The Register explains, in laymans terms, one can think of it as sitting down at a restaurant at a supposedly clean table. In addition to being handed a menu, you also receive the contents of the previous diners wallet or purse.

Ormandy notes that once they understood what they were seeing and realized the implications, they immediately reached out to Cloudflares security team which wasted little time in getting to work. Graham-Cumming said that because theyre a service, bugs can go from being reported to fixed in minutes to hours instead of months. In this instance, they were able to mitigate the issue in just 47 minutes and wrap up a global fix in under seven hours.

On Twitter, Ormandy said that the issue has been going on for months with affected clients including 1Password (passwords are not compromised in their case however), Uber, FitBit and OKCupid, among others.

Graham-Cumming said they have not found any evidence of malicious exploits or other reports of its existence. Nevertheless, its probably a good idea to go through and change all of your online passwords. Again.

A list of notable sites and services potentially affected by "Cloudbleed" follows below:

Lead photo courtesy Getty Images

Link:
Cloudflare bug leaked encryption keys, passwords and more - TechSpot

Related Posts
This entry was posted in $1$s. Bookmark the permalink.