- Fans call out Madonna for edited Eurovision video Tuesday 9:36 PM
- Partnered Twitch streamer temporarily banned for airing troll’s racist message Tuesday 8:45 PM
- Reddit theory says fans are wrong about who won ‘Game of Thrones’ Tuesday 6:52 PM
- Elon Musk hires ‘absolute unit’ sheep meme creator to be Tesla’s social media manager Tuesday 6:12 PM
- Jason Momoa stands by his Khaleesi after the ‘Game of Thrones’ finale Tuesday 4:05 PM
- Airbnb, 23andMe partner for creepy heritage travel recommendations Tuesday 3:26 PM
- Rep. Katie Porter goes viral again for trouncing Ben Carson (updated) Tuesday 3:26 PM
- This deepfake takes Bill Hader’s Schwarzenegger impression to the next level Tuesday 2:58 PM
- Wanda Sykes rails against Trump and offers much-needed perspective in ‘Not Normal’ Tuesday 2:41 PM
- Man arrested after allegedly threatening to shoot YouTube employees Tuesday 2:13 PM
- Some House Dems are backing away from the Save the Internet Act Tuesday 1:40 PM
- Thousands sign petition calling for Danny DeVito to play Wolverine Tuesday 1:02 PM
- Jason Mitchell fired from ‘Desperados’ and ‘The Chi’ after misconduct allegations Tuesday 12:36 PM
- Police raid Black woman’s house after white neighbor complains about loud Malcolm X speeches Tuesday 12:20 PM
- ‘Transfixed’ says it’s a ‘breakthrough’ series, but it still fetishizes trans bodies Tuesday 11:04 AM
Cloudflare bug leaks personal data from some of the web’s biggest sites
Change your passwords right now.
Your sensitive data may have been leaked from one of several big-name websites that were potentially affected by a typo in the code of hosting provider Cloudflare.
Private encryption keys, cookies, passwords, and HTTPS requests have all been spotted in public caches following a colossal error that let random bits of server memory slip into webpages during certain processes.
Tavis Ormandy, a security researcher at Google, first spotted the breach and immediately let Cloudflare know about it. The company fixed the problem just two days later, but the damage was done. Cloudflare learned the earliest leak dates all the way back to September 2016, which means personal information has been “randomly” appearing on websites for months.
Ormandy found hotel bookings, passwords, and messages from dating sites among the cached data. “I didn’t realize how much of the internet was sitting behind a Cloudflare CDN until this incident,” he wrote. “We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
That info was found stored in web browser cached pages. With help from Google, Yahoo, Bing, and others, 770 unique resource identifiers (URIs) were found that had been cached and contained leaked memory. Of those, 161 came from unique websites, according to a lengthy post Cloudflare wrote about the incident.
The root cause for the issue comes from the company’s use of a new HTML parser, which is basically a search bar for code that lets you easily find and edit sections of information. It underwent a buffer overflow, which Cloudflare says could have been avoided if it had simply been checked with “>=” instead of “==.”
Basically, a tiny error caused a massive problem.
The company says the greatest period of impact was from Feb. 13-18, with around one in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (around 0.00003% of requests). That may not seem like a lot, until you consider millions of businesses—including some of the world’s largest—use the service.
In a blog post, security expert Ryan Lackey offered some advice to everyone who uses the internet: Change your password and use two-factor verification.
“Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites,” Lackey wrote. “Users should also log out and log in to their mobile applications after this update. While you’re at it, if it’s possible to use 2FA or 2SV with sites you consider important.”
Cloudflare claims to have not yet identified any malicious uses of the information.
This massive leak is just the latest in an endless string of incidents that make you want to hate the internet. The advice coming out of all of them is to continue to rotate your passwords, or simply use two-step or two-factor verification for all of your accounts.
A list of websites potentially affected by Cloudflare’s leak is being compiled on Github.
H/T the Verge
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.