The leak is vaguely reminiscent of the Heartbleed vulnerability that exposed passwords, secret encryption keys, and other sensitive memory contents residing in servers running a vulnerable version of the OpenSSL crypto library. Unlike Heartbleed, however, the parser bug could be exploited only opportunistically against certain sites that used Cloudflare. It also didn't expose transport layer security keys. The leak was spotted by Google security researcher Tavis Ormandy while he was working on a "corpus distillation project." He and colleagues then struggled to understand what the data was and what was exposing it.
In an update published later, Ormandy took issue with the post Cloudflare published. "It contains an excellent postmortem, but severely downplays the risk to customers," he wrote. In a Twitter message, Ormandy said Cloudflare customers affected by the bug included Uber, 1Password, FitBit, and OKCupid. 1Password said in a blog post that no sensitive data was exposed because it was encrypted in transit.
Serious Cloudflare bug exposed a potpourri of secret customer data | Ars Technica
Graham-Cummings, the Cloudflare CTO, has ruled out the possibility that secret keys for customers' transport layer security certificates were exposed in the leaks. Still, he said end-user passwords, authentication cookies, OAuth tokens used to log into multiple website accounts, and encryption keys Cloudflare uses to protect server-to-server traffic were all at risk of being exposed. Cloudflare customers should at a minimum strongly consider changing passwords. Security researcher Ryan Lackey has other security advice here. 2ff7e9595c
Comments