Cloudfare HTTPS Traffic Leak (aka Cloudbleed) - Change Your Passwords!

[AntiProtonBoy]

Major security flaw in Cloudflare services has been discivered [1] which apparently has been leaking customer HTTPS sessions for quite some time now [2, 3]. Services such as Uber, 1Password, FitBit, OKCupid, and more, maybe affected. To give you an idea how bad the situation is, let me quote you an excerpt from [1]:

We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

I suspect that we could be seeing a future data dump or two for some of the popular online services. Keep your eyes peeled on this one. If you are on any of the websites listed in [4], change your passwords! Looks like the EEVblog domain might be affected, too (I found it on the domain list in [4]).

1. Cloudflare Reverse Proxies are Dumping Uninitialized Memory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

2. Reddit discussion
https://www.reddit.com/r/programming/comments/5vtv16/cloudflare_have_been_leaking_customer_https/

3. Hacker News discussion
https://news.ycombinator.com/item?id=13718752

4. List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak
https://github.com/pirate/sites-using-cloudflare

[Monkeh]

Yaaaaaay single point of failure.

[Jeroen3]

Yes, shit is hitting the fan.
Google de-autheticated all my session yesterday. Google does not do that on small rumors.

[sleemanj]

CF working with search engines to "purge the caches" seems a lot like covering a mound of shit with a rug and calling it cleaning.  There are caches *everywhere*, not just in major search engines, my sites have a constant uninterrupted stream of bots, some announced, many not (Chinanet ip address.....), who knows how many of them cache the entire html.  I wonder if it is even in the best interests to purge those large search engine caches at all, better you KNOW that data has been compromised....

[jimdeane]

Jesus.  Is there some sort of checker program that could search history and saved sites to highlight ones you use that are compromised?

[SeanB]

Amipwned.com is a good place to start from........

[station240]

Also been picked up by zdnet.
http://www.zdnet.com/article/cloudflare-found-leaking-customer-https-sessions-for-months/

I wonder if the odd bugs in this forum will fix themselves now, as they always seem to be something in Cloudflare rather than the forum software itself. You know the ones where a topic loads for some people and not others.

[helius]

Jesus.  Is there some sort of checker program that could search history and saved sites to highlight ones you use that are compromised?

Yes, if your browser uses an open format for its history.
https://gist.github.com/zweizeichen/10bca3803b54070090ac48f5173910b2