ArielMT Posted February 24, 2017 Share Posted February 24, 2017 A security researcher at Google, Tavis Ormandy, discovered last week that Cloudflare was inadvertently leaking private and sensitive data from sites they proxy. Cloudflare fixed the problem (since nicknamed "Cloudbleed") last weekend and spent a lot of this week working with search engine partners to scrub what sensitive data leaked out from their search results. The details were disclosed on Thursday (today as I write). References: Cloudflare Reverse Proxies are Dumping Uninitialized Memory by Tavis Ormandy, Google. Incident report on memory leak caused by Cloudflare parser bug by John Graham-Cumming, Cloudflare. There is no evidence of this yet, but Phoenixed Forums was potentially affected. It's improbable but still possible that Cloudbleed could have allowed someone with an interest to see sensitive information such as account passwords. Therefore, you should consider changing your passwords earlier than you intended. 7 Quote Link to comment Share on other sites More sharing options...
ArielMT Posted February 24, 2017 Author Share Posted February 24, 2017 It appears that Cloudbleed was a very serious vulnerability inside the Cloudflare network, and the impact was severe and widespread enough that major news organizations like Reuters covered the story. It doesn't yet look like anything malicious was done with the leaks, but it's also impossible to tell which of Cloudflare's millions of sites had private user data exposed. The odds of us being affected are very low, by way of being a very low-traffic website, but the consequences of being affected are just the same as big-name websites like Uber and Fitbit. The only possible answers to whether a site using Cloudflare was affected or not are, "Yes, the site was definitely affected because data was found," or, "Maybe, because data wasn't found yet." We're in the Maybe column right now. You should change your passwords not just on Phoenixed Forums but on other websites you know use Cloudflare as well, especially if you use the same password on more than one site, or if you use a cloud-synced password manager that uses a site behind Cloudflare to synchronize your passwords. If you've done so since Cloudflare disclosed the bug, then you should be OK. 1 Quote Link to comment Share on other sites More sharing options...
RTDragon Posted February 24, 2017 Share Posted February 24, 2017 Ah thank you for this just did as well as the password to my discord account. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.