Like Tree3Likes
  • 2 Post By mrgoodkat
  • 1 Post By shri

Cloudflare bug, Reset all your passwords

Closed Thread
  1. #1

    Join Date
    Jan 2010
    Posts
    6,452

    Cloudflare bug, Reset all your passwords

    Maybe @shri can sticky that since Geo uses cloudflare.

    No idea how the details work, but some cloudflare flaw has allowed attackers to get cached passwords from most sites using cloudflare's services.

    Patreon, Uber, Yelp, Coinbase, Fitbit etc are affected


    Cloudflare data leak potentially exposed trove of passwords, personal information for months | PBS NewsHour
    https://techcrunch.com/2017/02/24/ho...oudflare-leak/


  2. #2

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,971

    I think there is a fair bit of misinformation in the press at the moment.

    We don't use their parse / modify services (email obfuscation in particular or their https redirects etc or server side excludes), just the CDN.

    A couple of places to look at:

    https://blog.cloudflare.com/incident...re-parser-bug/

    and the source of the discovery....

    https://bugs.chromium.org/p/project-...detail?id=1139

    (Not in any rush to change passwords, unless I hear something ...)

    kimwy66 likes this.

  3. #3

    Join Date
    Jan 2010
    Posts
    6,452

    That's good to know. I'm using a password manager so changing all passwords is just a few clicks.


  4. #4

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,971

    This is the scope of the problem:

    The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged. With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines.
    We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.


  5. #5

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,971
    Quote Originally Posted by mrgoodkat:
    That's good to know. I'm using a password manager so changing all passwords is just a few clicks.
    Curious - what do you use? i'm on lastpass, but find it a pain in the arse to go "reset all passwords in a few clicks" - close to 200 sites with logins.. each one has a different form which needs to get filled up to reset a password.

  6. #6

    Join Date
    Jan 2010
    Posts
    6,452

    I'm using 1password, the old one, not the cloud based one. I just went through each website one-by-one. With the browser plugin it's pretty fast. Right click - password generator - enter - update

    emx and shri like this.