Massive user data leak on MyBroadband (and others) due to Cloudbleed issue

MagicDude4Eva

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,477
Reaction score
40
Location
Jo'burg
Watch the Cloudbleed issue being downplayed and it will only hit broader news in days to come. If you use a generic password across multiple sites (such as forums and blogs) and you happen to use the same password for your email/banking, I suggest you change it.

No fear-mongering, but a good explanation here: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165#.mo5h83sh9

Looking at you iol.co.za, mg.co.za and mybroadband.co.za and 6200 other domains:

Code: 
~/Sandbox: grep -i "mybroadband" sorted_unique_cf.txt
mybroadband.co.za
mybroadband.co.za

grep -i "co\.za" sorted_unique_cf.txt | wc -l
6188

Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was trigerred the response would include data from ANY other cloudfare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using CloudFare's proxy services (including HTTP & HTTPS proxy).

Source: https://news.ycombinator.com/item?id=13719518 and https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
 
Last edited:
Would "Have I been pwned?" sent out emails if you set it to notify you?
 
Soul Assassin said:
Would "Have I been pwned?" sent out emails if you set it to notify you?
Click to expand...

Nope - the vulnerability was just disclosed as it was patched, but leaked data for a good 6 months. Let's see how long it will take for that SA e-commerce site to advise password changes (you would have noticed that most big sites would have prompted you for password changes and some would have told you why).
 
moklet said:
Got an email from cloudflare going through the list provided above I have seen at least 3 of the domains I manage through them ????
Click to expand...

Yes - Cloudflare is horrible. They have refused to publish a list of affected domains and as far as I understand, they will not even contact owners. So it is up to you to check and possibly follow these guys: https://github.com/pirate/sites-using-cloudflare
 
mybroadband cloudbleed

MagicDude4Eva said:
Looking at you iol.co.za, mg.co.za and mybroadband.co.za and 6200 other domains:
Click to expand...
Hi thanks for this - I was unaware. A question though, if mybroadband where legitimately affected by this "cloudbleed" -where are the attempts to enforce a password change for users?
 
moklet said:
Got an email from cloudflare going through the list provided above I have seen at least 3 of the domains I manage through them ????
Click to expand...

The list provided is all the domains hosted on CloudFlare, not compromised ones.

The vulnerability only affects certain CF features, not the whole system, so even if you use them and don't have those features enabled, or used, then you are not affected. What they did was to search through search engine caches, for any data that appears to have leaked data in them, and if they can't find any for your domain, you got the "all clear" email you mentioned.

I am going to assume that if they DID find anything you will get a different email.

Also, here's the official CloudFlare posting, which I don't see in this thread yet. It spells out the issue, and how it can disclose data. I believe it's less serious than what the tech media is reporting.

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
 
Last edited:
Sumio said:
Hi thanks for this - I was unaware. A question though, if mybroadband where legitimately affected by this "cloudbleed" -where are the attempts to enforce a password change for users?
Click to expand...

You will not know what data was leaked, the only thing for certain is that the leakage occurred from September 2016 to February 2017 and affected a good 4m domains on the Cloudflare network. People will completely misunderstand Cloudbleed and I doubt most local IT publications will report on it correctly (or at all) - everyone seems to focus on the stupid SHA1-collision which is a non-issue.

I consider the Cloudbleed leak more serious, as it can leak your auth-tokens which gives anyone immediate access to the site affected. To illustrate what this could mean is this private message intercepted from a OKCupid:
red.jpg

While this does not necessarily mean, that all sites are compromised, there is a good chance that over the last 6 months leaked information has been harvested and will eventually surface (the same way Yahoo, LinkedIn and others appeared). FWIW: This does not only affect websites, but also using native apps using some of the features.

Changing the password is not good enough, if the auth-token is not revoked by the site during the password change.


BTW - this is what one of the Google engineers said:
We've been trying to help clean up cached pages inadvertently crawled at Google. This is just a bandaid, but we're doing what we can. Cloudflare customers are going to need to decide if they need to rotate secrets and notify their users based on the facts we know.

I don't know if this issue was noticed and exploited, but I'm sure other crawlers have collected data and that users have saved or cached content and don't realize what they have, etc. We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!).

Really impressed with Cloudflare's quick response, and how dedicated they are to cleaning up from this unfortunate issue. I told them I hoped they were able to get some sleep during the incident, and an engineer responded:

"Its going to be a long weekend for us, but this is really important to us. We need to protect as many people as we can and we need to make sure this can never happen again on our watch.".
Click to expand...

and this:
We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
Click to expand...

and before it disappears:
Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers.

They've left it too late to negotiate on the content of the notification.

Let's hope that their notification in combination with the details from this issue will be adequate explanation of what happened. I think we're waiting for cached links to start expiring, and then we're publishing whether they're ready or not.
Click to expand...
 
Last edited:
Valerion said:
Also, here's the official CloudFlare posting, which I don't see in this thread yet. It spells out the issue, and how it can disclose data. I believe it's less serious than what the tech media is reporting.

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Click to expand...

It is downplayed. See some of the snippets I posted from one of the Google engineers. Project Zero had a ton more comments regarding this (which have now been deleted, but I read them) and while Cloudflare dealt with the issue as soon as they knew about it.

I think the OKCupid screenshot is a valid enough explanation that the issue is serious enough and it will probably take months until the full extent will be known. I decided to create this post so that in a year's time I can come back and then gleefully say "I told you so" :whistle:
 
MagicDude4Eva said:
It is downplayed. See some of the snippets I posted from one of the Google engineers. Project Zero had a ton more comments regarding this (which have now been deleted, but I read them) and while Cloudflare dealt with the issue as soon as they knew about it.

I think the OKCupid screenshot is a valid enough explanation that the issue is serious enough and it will probably take months until the full extent will be known. I decided to create this post so that in a year's time I can come back and then gleefully say "I told you so" :whistle:
Click to expand...

I agree with you on one thing, though, irrespective of the severity, the sites involved needs to kill their current stored sessions and/or API keys, and ask users to re-login. And send a notification out asking users to reset their passwords. That is prudent, and I have already done so for the sites that require a login that I manage (some sites are purely informational), and so far one of the non-SA sites I subscribe to has done the same.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X