|
Team Liquid's community sites and Liquipedia are not affected by this. We use Cloudflare only for DNS, at no time do any of your requests pass through their network. -R1CH |
#Cloudbleed HTTPS Traffic Leak
Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.
"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source
You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q= {"scheme":"http"} CF-Host-Origin-IP&t=h_&ia=web
Source
> The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
1) From the metrics I recalled when I interviewed there, and assuming the given probability is correct, that means a potential of 100k-200k paged with private data leaked every day.
2) What's the probably that a page is served to a cache engine? Not a clue. Let's assume 1/1000.
3) That puts a bound around a hundred leaked pages saved per day into caches.
4) Do the cache only provide the latest version of a page? I think most do but not all. Let's ignore that aspect.
5) What's the probably that a page contains private user information like auth tokens? Maybe 1/10?
6) So, that's 10 pages saved per day into the internet search caches.
7) That's on par with their announcement: "With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains." Well, not that we know for how long this was running.
8) Now, I don't want to downplay the issue, but leaking an dozen tokens per day is not that much of a disaster. Sure it's bad, but it's not remotely close to the leak of the millennia and it's certainly not internet scale leak.
9) For the record, CloudFlare serves over one BILLION human beings. Given the tone and the drama I expected way more data from this leak. This is a huge disappointment.
Happy Ending: You were probably not affected.
The list of affected sites is quite long, TL is there, so is Reddit, patreon, Yelp, stackoverflow and many others.
https://github.com/pirate/sites-using-cloudflare
We have got some very good Programmers here on TL, what insight can you guys give to the TL'ers?
|
Authy, Patreon, Uber, Stackoverflow(Apparently confirmed that not affected), Curse, Discord.. lots of sites that TLers most likely use fairly often.
Authy is what makes me a bit worried. Provides two-factor authentication for Twitch and Discord for example.
Here is the 'thread' by Tavis Ormandy, who found the vulnerability.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.
Importantly though:
I worked with cloudflare over the weekend to help clean up where I could. I've verified that the original reproduction steps I sent cloudflare no longer work.
We've been trying to help clean up cached pages inadvertently crawled at Google. This is just a bandaid, but we're doing what we can. Cloudflare customers are going to need to decide if they need to rotate secrets and notify their users based on the facts we know.
I don't know if this issue was noticed and exploited, but I'm sure other crawlers have collected data and that users have saved or cached content and don't realize what they have, etc. We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!).
We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.
The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
And for the laughs:
Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt.https://hackerone.com/cloudflareNeedless to say, this did not convey to me that they take the program seriously.
Fuck me, rofl.
|
I have no idea what this means. I googled what CloudFlare does exactly, and it sounds rather useful, but I'm not sure what this vulnerability means. Shouldn't https to cloudflare be the same encrypted jibberish as https to anywhere else? So unless cloudflare is dumping unencrypted data somewhere somehow, what does this mean?
|
On February 24 2017 19:49 Acrofales wrote: I have no idea what this means. I googled what CloudFlare does exactly, and it sounds rather useful, but I'm not sure what this vulnerability means. Shouldn't https to cloudflare be the same encrypted jibberish as https to anywhere else? So unless cloudflare is dumping unencrypted data somewhere somehow, what does this mean?
The parser failed to correctly upgrade HTTP content to encrypted HTTPS, resulting in data being made available without any protections.
http://www.wired.co.uk/article/cloudflare-cloudbleed-passwords-leaked-online
|
Northern Ireland22201 Posts
a company of cloudflare's size and coverage offering a t-shirt for its bug bounty reward? lol
|
Cloudbleed means that any site that had it's data (http or https, doesn't matter) might be affected.
The effect of the error in code is that the servers of CF had memory-leaks. Memory leaks are exactly what they sound like, bits of the RAM data gets "leaked", or, more explained, returned to the server/user that did the request "causing" the leak.
Thus, if I were a Google Server and requested all of the pages of Team Liquid (.net), and that data would go through CF, I might also get data returned that the TL host, through CF, might have accessed (and thus had placed in RAM on the server). It might not be all, could just be snippets of data. Just that... those snippets include: everything. (usernames, passwords, "secrets" from 2FA (two-factor-authentication), frames from video files, a corner of a .jpg file. Anything.
To make sure that, apart from any possible data that is now already "public" (ie., indexed by search engines) you (users and admins alike) change the following: - database passwords - server passwords - SSH keys to/from servers/user accounts - other encryption/authentication keys
Also change passwords to password managers! (like LastPass, confirmed was that 1Password was not affected, saw the link somewhere, cant find it in my history anymore though).
So yea, this is potentially very serious as ANY information that should've been kept secret "might" now be publicly available in a search engine index.
For example, some of the leaked data via this link: https://duckduckgo.com/?q= {"scheme":"http"} CF-Host-Origin-IP&t=h_&ia=web Or run your own search on DDG using: {"scheme":"http"} CF-Host-Origin-IP
Happy changing your privates
|
On February 24 2017 20:11 Yurie wrote:Show nested quote +On February 24 2017 19:49 Acrofales wrote: I have no idea what this means. I googled what CloudFlare does exactly, and it sounds rather useful, but I'm not sure what this vulnerability means. Shouldn't https to cloudflare be the same encrypted jibberish as https to anywhere else? So unless cloudflare is dumping unencrypted data somewhere somehow, what does this mean? Show nested quote +The parser failed to correctly upgrade HTTP content to encrypted HTTPS, resulting in data being made available without any protections. http://www.wired.co.uk/article/cloudflare-cloudbleed-passwords-leaked-online Okay, that makes sense. Thanks. They link through to this site: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165#.xdw2fw4tq for what end users should do, but I don't understand the advice:
From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords. While this might not be necessary (it is unlikely your passwords were exposed in this incident), it will absolutely improve your security from both this potential compromise and many other, far more likely security issues. Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites. Best practice is to use a long random string for each password, unique for each site, and to manage that collection using a “password manager”, such as 1Password, LastPass, or the built-in password managers in modern web browsers. Users should also log out and log in to their mobile applications after this update. While you’re at it, if it’s possible to use 2FA or 2SV with sites you consider important (using something like TOTP/Google Authenticator or U2F), that’s a meaningful security upgrade, too.
2FA or 2SV makes sense. Obviously using unique passwords for different sites also makes sense. But because such passwords are impossible to remember (hell, I use about 6 different passwords and "obsolete" them every now and then by replacing them, yet still have problems remembering which password I used where), you would absolutely need one of those password managers. But doesn't this return us to a single point of failure? What if the service you happen to choose is insecure (lets say 1Password gets hacked)? Why is that better in any way, shape or form, than Google getting hacked? So all it seems to do is add an extra way to hack my Google account (can go straight to Google, or go through 1Password). Either way they have access to my emails (and if they have full access, they can easily get access to most of my other accounts by having the password reset and sent to my email account). So what exactly is the point? Using the browser's password manager is a more secure solution (you'd need physical access to the machine), but also means that you can only log on from one machine, because there's no way you can remember a whole list of randomly generated unique passwords.
|
On February 24 2017 20:42 Acrofales wrote:Show nested quote +On February 24 2017 20:11 Yurie wrote:On February 24 2017 19:49 Acrofales wrote: I have no idea what this means. I googled what CloudFlare does exactly, and it sounds rather useful, but I'm not sure what this vulnerability means. Shouldn't https to cloudflare be the same encrypted jibberish as https to anywhere else? So unless cloudflare is dumping unencrypted data somewhere somehow, what does this mean? The parser failed to correctly upgrade HTTP content to encrypted HTTPS, resulting in data being made available without any protections. http://www.wired.co.uk/article/cloudflare-cloudbleed-passwords-leaked-online Okay, that makes sense. Thanks. They link through to this site: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165#.xdw2fw4tq for what end users should do, but I don't understand the advice: Show nested quote +From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords. While this might not be necessary (it is unlikely your passwords were exposed in this incident), it will absolutely improve your security from both this potential compromise and many other, far more likely security issues. Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites. Best practice is to use a long random string for each password, unique for each site, and to manage that collection using a “password manager”, such as 1Password, LastPass, or the built-in password managers in modern web browsers. Users should also log out and log in to their mobile applications after this update. While you’re at it, if it’s possible to use 2FA or 2SV with sites you consider important (using something like TOTP/Google Authenticator or U2F), that’s a meaningful security upgrade, too. 2FA or 2SV makes sense. Obviously using unique passwords for different sites also makes sense. But because such passwords are impossible to remember (hell, I use about 6 different passwords and "obsolete" them every now and then by replacing them, yet still have problems remembering which password I used where), you would absolutely need one of those password managers. But doesn't this return us to a single point of failure? What if the service you happen to choose is insecure (lets say 1Password gets hacked)? Why is that better in any way, shape or form, than Google getting hacked? So all it seems to do is add an extra way to hack my Google account (can go straight to Google, or go through 1Password). Either way they have access to my emails (and if they have full access, they can easily get access to most of my other accounts by having the password reset and sent to my email account). So what exactly is the point? Using the browser's password manager is a more secure solution (you'd need physical access to the machine), but also means that you can only log on from one machine, because there's no way you can remember a whole list of randomly generated unique passwords.
There are offline password managers where they have to snatch your file and then break your password on it. Most popular is Keepass. Many keep a copy of their file on dropbox so they can use it on different devices. Doesn't really matter if somebody gets the file since you have a very very strong master password memorised for it.
|
So this reads like it's a big deal, but if it is, why isn't this being highlighted more strongly by TL management?
|
On February 24 2017 21:31 KOFgokuon wrote: So this reads like it's a big deal, but if it is, why isn't this being highlighted more strongly by TL management?
Because it isn't a big deal and it has been hours since the story broke. It is at most a medium deal and TL still needs time to check the facts and come out with a statement that is correct and relevant.
|
France9034 Posts
On February 24 2017 21:35 Yurie wrote:Show nested quote +On February 24 2017 21:31 KOFgokuon wrote: So this reads like it's a big deal, but if it is, why isn't this being highlighted more strongly by TL management? Because it isn't a big deal and it has been hours since the story broke. It is at most a medium deal and TL still needs time to check the facts and come out with a statement that is correct and relevant.
It is a big deal. The story broke a few hours ago, but the leak has been happening for months. Changing all your passwords is the least you can do the be somewhat safe. Enabling 2FA is another step that would be suited to be even safer.
|
|
Sweden5553 Posts
So I was 99% sure we weren't affected but I wanted to wait for R1CH to confirm.
Changed the thread title to reflect this.
EDIT: Still, changing passwords and using a password manager that creates a unique password for each website or service you use is highly recommended.
|
Germany913 Posts
Looks like TL isn't affected, someone should probably re-name the thread:
The list on GitHub apparently lists all (or at least a lot of) Cloudflare's DNS users, but that service isn't really the problem for the data breach. Nonehteless, it's a good idea to use password managers and not re-use passwords.
|
|
FREEAGLELAND26780 Posts
|
R1CH is the man i was worried there for a second phew... TL! TL! TL!
|
Sweden5553 Posts
He tweeted this last night:
|
|
|
|