Recently, a well-known Google employee, Tavis Ormandy, who is involved in the security area, informed users via Twitter about the huge security problem in the Cloudflare service. For most of the network users Cloudflare name does not mean anything, so perhaps you will think that this problem does not apply to you. But it is a pernicious idea for everyone. Currently, services from Cloudflare are used by more than 5.5 million websites.
It also includes giants, such as Facebook, Uber, Fitbit and 1Password. Sensitive data, which escaped through the gap are: passwords, cookies, IP addresses, personal information, private messages, photos and encryption keys. The data leaked randomly. This does not mean, however, that no one has access to them. As we all know, the Internet nothing is lost. The networks have a lot of robots that thoroughly browse the Internet and record web pages in its cache memories, to analyse them later. Unfortunately, some requests sent to the server to reverse-proxy Cloudflare drew quite strange answers. Loaded in this way in web pages contain sensitive data network users using the services Cloudflare.
It is better to dump the password for all your accounts.
The chance that we could get the password by an unauthorized person, is small. This should not be underestimated, because even a little of caution can protect us against the total loss of privacy. Cloudflare is a very popular service among the owners of websites, so it is best to change the password on virtually all sites, all of which are using on a daily basis. If you use for the convenience of the same password for multiple accounts, the sooner you should change this bad habit.
The vulnerability has existed since September 22, 2016 year.
Of course, you noticed that this was the favourite day of everu IT employee, i.e. Friday. For this it was already noon, when most of us already have in mind the weekend. Just then Tavis Ormandy officially asked on Twitter contact someone from the security department Cloudflare. The error was discovered by chance during the analysis of the results of the project on which he worked Tavis. Upon closer inspection he realized that the data it receives in large part derived from reverse-proxy servers Cloudflare.
The data that was leaked to the servers and are injected by the response to requests for random customers include many of confidential information. These included:
- encryption and API keys,
- IP addresses of users,
- OAuth tokens,
- URI parameters,
- fragments of POST requests,
- private messages dating,
- API requests from managers of passwords sent over HTTPS,
- confirmation of booking etc.
The worst thing is that the information on are stored in the cache memories search engines. Fortunately, Google has launched the mechanisms of cleaning their cache of sensitive data. I hope that the others will do the same. It is also unclear if anyone had not detected the vulnerability and used it for nefarious purposes.