Thread Tools Display Modes
02-24-17, 07:20 PM   #1
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
CloudFlare leak

As some of you may have heard, CloudFlare had a leak yesterday. We just want to reassure everyone that we are aware of the fact and that while we do use them, we do not appear to have been impacted in any way. This is what they sent to us:

Originally Posted by cloudflare
Dear MMOUI,

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

https://blog.cloudflare.com/incident...re-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information would still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered exposed data on approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO
  Reply With Quote
02-25-17, 12:31 AM   #2
Fizzlemizz
I did that?
 
Fizzlemizz's Avatar
Premium Member
AddOn Author - Click to view addons
Join Date: Dec 2011
Posts: 1,871
Thank you for the heads up Cairenn and co., it is appreciated.
__________________
Fizzlemizz
Maintainer of Discord Unit Frames and Discord Art.
Author of FauxMazzle, FauxMazzleHUD and Move Pad Plus.
  Reply With Quote
03-03-17, 09:20 AM   #3
Tntdruid
Premium Member
 
Tntdruid's Avatar
Premium Member
AddOn Author - Click to view addons
Join Date: Jan 2005
Posts: 55
Glad i dont use them
  Reply With Quote
03-03-17, 02:20 PM   #4
SDPhantom
A Pyroguard Emberseer
 
SDPhantom's Avatar
AddOn Author - Click to view addons
Join Date: Jul 2006
Posts: 2,313
Originally Posted by Tntdruid View Post
Glad i dont use them
CloudFlare is middleman providing cloud services and security among a list of other things to websites and web-based applications. Long story short, the only time you would know CloudFlare is involved is when something wrong happens. Otherwise, everything is supposed to be transparent.

For example, this same alert was posted a while ago by Discord. Their users could have had their credentials leaked as a result of this bug. Details are linked below.
(Discord) Safety Jim PSA: Cloudflare Security Issue


Other links:
Google: Project Zero Bug Report (Discovery of CloudFlare bug)
Incident report on memory leak caused by Cloudflare parser bug (As posted earlier by Cairenn)
Quantifying the Impact of "Cloudbleed"
__________________
WoWInterface AddOns
"All I want is a pretty girl, a decent meal, and the right to shoot lightning at fools."
-Anders (Dragon Age: Origins - Awakening)

Last edited by SDPhantom : 03-03-17 at 03:43 PM.
  Reply With Quote

WoWInterface » Site Forums » News » CloudFlare leak

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off