Serious Cloudflare bug exposed a potpourri of secret customer data

Rich_Kulawiec · February 24, 2017, 10:28pm

(h/t to Richard Forno)

After you're done reading the Ars Technica article excerpted and linked
below, you may also want to read:

Cloudflare Reverse Proxies Are Dumping Uninitialized Memory
https://news.ycombinator.com/item?id=13718752

and, as background:

CloudFlare, We Have A Problem
http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

and then perhaps consider this comment from the Ycombinator thread:

  Where would you even start to address this? Everything you've
  been serving is potentially compromised, API keys, sessions,
  personal information, user passwords, the works.

  You've got no idea what has been leaked. Should you reset all
  your user passwords, cycle all or your keys, notify all your
  customers that there data may have been stolen?

  My second thought after relief was the realization that even
  as a consumer I'm affected by this, my password manager has > 100
  entries what percentage of them are using CloudFlare? Should
  I change all my passwords?

---rsk

----- Forwarded message from Richard Forno <rforno@infowarrior.org> -----

Mike_Goodwin · February 25, 2017, 7:21am

Useful information on potentially compromised sites due to this:

https://github.com/pirate/sites-using-cloudflare

Mike

_Matt_Palmer · March 2, 2017, 11:15pm

"This list contains all domains that use Cloudflare DNS"

That's only marginally more useful than saying "any domain matching /^.*$/";
plenty of domains use Cloudflare's DNS without using the proxy service (and
it is, barely, possible to use the proxy service which had the bug without
using the DNS service).

- Matt

James_Hess · March 3, 2017, 12:35am

Useful information on potentially compromised sites due to this:
https://github.com/pirate/sites-using-cloudflare

"This list contains all domains that use Cloudflare DNS"

That's only marginally more useful than saying "any domain matching /^.*$/";

Iirc; It's quite easy to use the Proxy service without the DNS
service, as long as
you are using a Paid CF account for the domain and not a free account.

Also; Querying after the fact is not very scientific, Because there
may be domains
that _Were_ using CF proxy service During the incident which no longer use
CF DNS or Proxy servers, for whatever reason.

If you're going to scrape DNS records to decide, should probably be
scraping A records for www,
and then checking Reverse DNS or matching against possible CF IP
addresses, not NS records.