Jump to content
Sign in to follow this  


Recommended Posts

For months, a bug in CloudFlare resulted in malformed pages spraying uninitialized memory. This uninitialized memory contained anything that passed through CloudFlare: passwords, cookies, HTTP headers, HTTP content, even internal cloudflare TLS certificates.

ANYTHING transited through CloudFlare could have been sprayed onto the internet. Even worse, HTTP caches (like Google, corporate web caches, ISP caches) have cached these malformed data.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.




"Consequence of @taviso's Cloudbleed discovery: essentially any traffic which passed through Cloudflare (even https) recently might be public"

What you can do
Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all Cloudflare proxy customers were vulnerable to having data leaked, it's better to be safe than sorry.

Theoretically sites not using Cloudflare DNS can also be affected (because an affected site could have made an API request to a non-affected one), so you should probably change all your important passwords.

You can read the full discovery here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

List of sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak: https://github.com/pirate/sites-using-cloudflare


Edit: Ignore bad formatting

Share this post

Link to post
Share on other sites
Sign in to follow this  

  • Create New...