Posted on Feb 24, 2017
Serious Bug Exposes Sensitive Data From Millions Sites Sitting Behind CloudFlare
1.05K
4
4
4
4
0
According to the article, while CloudFlare's service was rapidly patched the bug and has said the actual impact is relatively minor, data was leaking constantly before this — for months.
Some of this leaked data were publicly cached in search engines such as Google, Bing, Yahoo, who now removed it, but some engines like DuckDuckGo still host those data.
Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.
Some of this leaked data were publicly cached in search engines such as Google, Bing, Yahoo, who now removed it, but some engines like DuckDuckGo still host those data.
Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.
Serious Bug Exposes Sensitive Data From Millions Sites Sitting Behind CloudFlare
Posted from thehackernews.com
Cybersecurity
Hacking
Programming
Internet
Posted 7 y ago
Responses: 2
0
0
0
As the security POC for more than one org, I've spent a good portion of my day dealing with tons of people who need to be informed what to do about this bug. While the individual risk isn't high, the theoretical chance is still there that all sorts of data ended up in the caches and could be exploited.
This bug is also why many users suddenly found that Google de-authorized the existing authentication tokens to all of their services, forcing people to log in again -- Google didn't use CloudFlare, but tons of sites that use Google as a federated login or that link your account with them to your google profile were.
This bug is also why many users suddenly found that Google de-authorized the existing authentication tokens to all of their services, forcing people to log in again -- Google didn't use CloudFlare, but tons of sites that use Google as a federated login or that link your account with them to your google profile were.
(0)
(0)
MAJ (Join to see)
The current recommendation is that the risk is exceedingly low, but those that are worried should still to change passwords on any site that didn't have additional safety protocols (example: 1Password used 2 other layers of encryption, so they weren't as vulnerable), and the list of sites is in the thousands. The further recommendation is to use a password manager that gives you unique passwords for each sites so a compromise wouldn't ripple. Third recommendation is to use 2-Factor Authentication whenever a site makes it available (and to use physical tokens or apps like Google Authenticator over SMS messages to your phone when given the chance). 2&3 are recommendations in general, not just regarding this issue.
(0)
(0)
MAJ (Join to see)
Here's a really good write-up about it from noted security researcher Troy Hunt.
https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/
https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/
Pragmatic thoughts on #CloudBleed
It has a cool name and a logo - this must be serious! Since Heartbleed, bug branding has become a bit of a thing and more than anything, it points to the way vulnerabilities like these are represented by the press. It helps with headlines and I'm sure it does
(0)
(0)
0
0
0
This event shows the importance of picking your cloud provider and content cache solutions. Most large organizations require an indemnity clause for damages when security breaches occurr.
Mobile and e-commerce is about trust and security in your PII and payment processing. Even if you have a good agreement the best outcome is no breach at all.
Mobile and e-commerce is about trust and security in your PII and payment processing. Even if you have a good agreement the best outcome is no breach at all.
(0)
(0)
Read This Next
Continue with Facebook 
Continue with Google