Chindie Posted February 24, 2017 VT Supporter Share Posted February 24, 2017 Quote Big-name websites leaked people's private session keys and personal information into strangers' browsers, due to a Cloudflare bug uncovered by Google researchers. As we'll see, a single character – '>' rather than '=' – in Cloudflare's software source code sparked the security blunder. Cloudflare helps companies spread their websites and online services across the internet. Due to a programming blunder, for several months Cloudflare's systems slipped random chunks of server memory into webpages, under certain circumstances. That means if you visited a website powered by Cloudflare, you may have ended up getting chunks of someone else's web traffic hidden in your browser page. For example, Cloudflare hosts Uber, OK Cupid, and Fitbit, among thousands of others. It was discovered that visiting any site hosted by Cloudflare would sometimes cough up sensitive information from strangers' Uber, OK Cupid, and Fitbit sessions. Think of it as sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you're also handed the contents of the previous diner's wallet or purse. This leak was triggered when webpages had a particular combination of unbalanced HTML tags, which confused Cloudflare's proxy servers and caused them to spit out data belonging to other people – even if that data was protected by HTTPS. ... The blunder was first spotted by Tavis Ormandy, the British bug hunter at Google's Project Zero security team, when he was working on a side project last week. He found large chunks of data including session and API keys, cookies and passwords in cached pages crawled by the Google search engine. These keys can be used to log into services as someone else. "The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean up," he said today in an advisory explaining the issue. "I've informed Cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything." Ormandy said that the Google team worked quickly to clear any private information and that Cloudflare assembled a team to deal with it. He provisionally identified the source of the leaks as Cloudflare's ScrapeShield application, which is designed to stop bots copying information from websites wholesale, but it turns out the problems ran deeper than that. The Register This looks quite, quite bad. I'm sure our techier users will let us know this is scaremongering or the like, but for now changing your passwords seems sensible. Link to comment Share on other sites More sharing options...
limpid Posted February 24, 2017 Administrator Share Posted February 24, 2017 28 minutes ago, Chindie said: The Register This looks quite, quite bad. I'm sure our techier users will let us know this is scaremongering or the like, but for now changing your passwords seems sensible. Make sure you are using 2FA and wherever possible, use your 2FA Google, Facebook, Twitter or Paypal account to log in to websites. Even VillaTalk allows you to do this. (Click your name in the top right, account, settings.) Do not use services which are just username and password. Use a VPN if you are doing anything you wouldn't write on a postcard. Pay for that VPN so that you aren't the product. None of this advice is related to the article - everyone should be doing this routinely. 1 Link to comment Share on other sites More sharing options...
Recommended Posts