Tweet
Apparently Cloudflare had sprung a leak and sensitive information may have bled out into the interwebs. I know little about such things but it may behoove people to change their passwords.
-
-
https://blog.cloudflare.com/incident...re-parser-bug/
From what I can tell, this didn't affect sites which use HTTPS, which Apolyton has in the timeframe in question, though I'm not absolutely sure that the Automatic HTTPS rewrites couldn't have affected some users. (I don't think it would, since to get to the login page you already have to have been redirected to HTTPS.)It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.
We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.
The chance that it affects any given user is extremely low even in the worst case ... but still to be safe, consider changing any passwords you use for sites that use CloudFlare.
Comment