CloudFlare and CloudBleed - These two words are the trending topics on the Internet for the past few days now. CloudFlare is one of the popular Internet service company that provides CDN, DNS, DDoS protection and security to millions of websites worldwide. Unfortunately, a critical security bug affected CloudFlare servers. All the websites protected by CloudFlare were affected since September 2016. This bug has exposed the passwords, private messages and other sensitive data of users and customers of popular websites, including Uber, FitBit, and OKCupid.
If you're using CloudFlare, or if you're visiting a website that uses CloudFlare, you must change your passwords on those sites. Reports says that the amount of leaked data is huge. If you're ClouFlare's customer, you should find out if your domain is affected or not.
Table of Contents
Who discovered this bug?
Tavis Ormandy, a Google researcher from Google's Project Zero, has revealed that CloudFlare has been leaking customer data since September 22nd, 2016 to February 18th, 2017. CloudBleed bug has affected almost 4,287,625 domains. Worst than all, some of the leaked data have already been indexed by Google search engine, and the infected website's owners are desperately working hard to remove the caches. This is one of the biggest and terrifying bug found in 2017.
Check If a Domain Is Affected By CloudFlare's Bug
Click the following link and enter the domain name. It will immediately reveal whether the domain is affected or not.
Enter your Domain name (Eg. ostechnix.com).
As you see in the above output, the domain ostechnix.com is not affected by this bug and is safe to use.
If a domain is affected, you will see a message that says:
This domain is affected. Close all active sessions for this service, change your passwords, and enable 2FA.
The following screenshot shows an affected domain by CloudFlare's bug.
I found that some of the popular Linux related websites and blogs are also affected by this bug. If have registered or created an account on one of them, I strongly recommend you to change all your passwords and change the security questions. Even though this is not the domain owner's mistake, you still need to end all active sessions and immediately change all passwords.
The complete list of domains possibly affected by the CloudBleed HTTPS traffic leak are given in this link. Please be mindful that just because a domain is on the list does not mean the site is compromised, and some sites may be compromised that do not appear on this list. I strongly recommend you to change all passwords, security questions in case you have registered in the domains that use Cloudflare DNS.
What should I do?
If you a CloudFlare's application owner, you need to do the following.
- If any service in your company uses Cloudflare, ask your employees and colleagues to reset their password.
- Tell your users their data has been potentially compromised.
- Advice your users to change their passwords. If you handle highly sensitive information, you may want to proactively lock their accounts and send them a mail to reset their password.
- Advice your users who are using 2FA (two factor authentication) to redo their 2FA setup.
If you're a cloudflare's user or if you're visiting a website/blog that uses CloudFlare services, you should do the following:
- Reset your passwords on the impacted websites
- Reconfigure your device based 2FA (e.g. Google Authenticator, but not text message based 2FA) on websites.
- Change your secret questions and answers in the impacted websites/forums that use CloudFlare's services.
My website that uses CloudFlare CDN is affected. What should I do now?
If you're using wordpress websites with CloudFlare, you need to change admin passwords and other wordpress users password immediately. Also, ask your site members to change their passwords or given an option to forcibly reset their password at the next login.
More importantly, you need to change your wp-config.php salts. To do so, edit wp-config.php file and change the following highlighted text and save it.
Source: https://www.wordfence.com/blog/2017/02/cloudflare-data-leak/
For non-wordpress users, you need to refer the documentation of your particular publishing platform (CMS) to find out how to do this. Also, you can contact the hosting providers and get help from them.
The Good news is this bug has already been fixed
This bug is already fixed by CloudFlare security team on February 18th. However the leaked data will probably be available on search engines caches. If you're CloudFlare customer or user, you must do all things which we have described above. You can read further to know about this bug and how it was fixed by CloudFlare security team in the CloudFlare blog (The link is attached below).
Cheers!
Source and Reference links:
- cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
- Cloudflare Data Leak: How to Secure Your Site
- Anatomy of Cloudflare’s CloudBleed: what you need to know and fix
- Incident report on memory leak caused by Cloudflare parser bug
Thanks for stopping by!
How can I benefit from this blog:
- Subscribe to our Email Newsletter : Sign Up Now
- Download free E-Books and Videos : OSTechNix on TradePub
- Connect with us: Facebook | Twitter | Google Plus | LinkedIn | RSS feeds
Have a Good day!!
