Cloudflare bug: Major dataleak

**Arjen Zijlstra** · 24-02-2017, 05:55

https://techcrunch.com/2017/02/23/ma...mers-websites/

https://arstechnica.com/security/201...customer-data/

Linkdump want net wakker en op mobiel

Snel je ww aanpassen ( ook van SD) en evt gebruikers informeren

**Arjen Zijlstra** · 24-02-2017, 05:57

Aanvullend van the register:

24 Feb 2017 at 01:47, Iain Thomson

Big-name websites leaked people's private session keys and personal information into strangers' browsers, due to a Cloudflare bug uncovered by Google security researchers.

Cloudflare helps companies spread their websites and online services across the internet. Due to a programming blunder, for several months Cloudflare's systems slipped random chunks of server memory into webpages, under certain circumstances. That means if you visited a website powered by Cloudflare, you may have ended up getting chunks of someone else's web traffic hidden in your browser page.

For example, Cloudflare hosts Uber, OK Cupid, and Fitbit. It was discovered that visiting any site hosted by Cloudflare would sometimes cough up sensitive information from strangers' Uber, OK Cupid, and Fitbit sessions. Think of it as sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you're also handed the contents of the previous diner's wallet or purse.

This leak was triggered when webpages had a particular combination of unbalanced HTML tags, which confused Cloudflare's proxy servers and caused them to spit out data belonging to other people – even if that data was protected by HTTPS

**Arjen Zijlstra** · 24-02-2017, 06:38

Gaat om miljoenen websites, een kleine greep van bekende sites;

authy.com
coinbase.com
betterment.com
transferwise.com
prosper.com
digitalocean.com
patreon.com
bitpay.com
news.ycombinator.com
producthunt.com
stackoverflow.com
medium.com
reddit.com
4chan.org
yelp.com
okcupid.com
zendesk.com
uber.com
namecheap.com
poloniex.com
localbitcoins.com
kraken.com
23andme.com
fastmail.com (does not proxy TLS, probably safe from this attack)
1password.com (not affected)
Full list here: https://github.com/pirate/sites-using-cloudflare

**Arjen Zijlstra** · 24-02-2017, 17:46

Dit is ook wel wat:

It was discovered that visiting any site hosted by Cloudflare would sometimes cough up sensitive information from strangers' Uber, OK Cupid, and Fitbit sessions.

Wat zal dat voor effect op statistieken hebben gehad?
Dus je analytics of wat dan ook waarop je je keuzes en investeringen baseert?

**Jeffrey V M** · 25-02-2017, 11:26

Bedankt voor de informatie. Voor de zekerheid verander ik toch maar mijn wachtwoorden van websites die cloudflare gebruiken.
Voor mensen die toevallig ook willen checken of een website cloudflare gebruikt vond ik een handige site: http://www.cdnplanet.com/tools/cdnfinder/

Voor https sites werkt bovenstaande site volgens mij niet, maar dan kun je kijken op bijv. whois.com en daar de website intikken en dan kijken onder het kopje 'Nameservers'. Als daar Cloudflare staat dan gebruikt die website Cloudflare.

Cloudflare bug: Major dataleak