Cloudflare accidentally leaks the private information of most of the internet, CEO shows up in HackerNews comments to defend their honor

75  2017-02-25 by coco-o

55 comments

Providing a Community Safe from TITrCJ's Sexual Advances Since October 2015.

Snapshots:

  1. This Post - archive.org, megalodon.jp*, archive.is*

I am a bot. (Info / Contact)

For people not in the know, this is a pretty massive problem. Happened in approx. the same day another major security flaw went public, that SHA-1 encryption has been practically broken, so there's a lot going on in computer security at once.

Basically, cloudflare's CEO is essentially saying "hey, sorry I went and vomited on all your walls and carpets (and those of, like, everyone, randomly, around the world), but I'd really appreciate you cleaning it up faster".

Not sure what the CEO expects when they shit out personal info all across the web. They had to make it public so anyone caching the data can remove it, and anyone who uses cloudflare can inform their users of the breach and to act accordingly.

It's been nicknamed "cloudbleed" because it has some similarities, at least in terms of the breadth of data leaked, to a past stupid security flaw "heardbleed".

I'm realizing I have nothing to shitpost here as I type this. Fuck.

Heartbleed you fuckking fake nerd.

typo

D and T aren't even close to each other smh.

This is why you use homerow.

nigger

edit: upvote this post

EDIT: wtf /r/drama?

lmao

please upvote my post, thanks!

Also cloudflares top prize in their bug bounty program was a t-shirt. Now they have this in their hands which could cost them millions.

And it was discovered and revealed by someone working for google. He could have been quiet and sold it in the black market, but instead of a "t-shirt", he got - his regular salary and a bullet point in the next appraisal subjective to his supervisor. Really makes you think.

SHA-1 encryption

wew lad

Does this mean if I starred in a loli hentai as a seiyuu(voice actress) and director people would know now?

You are correct. Forgot specific difference between the two when typing this out before falling asleep.

How does this even happen?

Cloudflare is a DDOS protection service, my understanding of how it works it is a middleman between clients and servers. So when you connect to reddit, your request goes through Cloudflare, then hits reddit.com, and vice versa. What Cloudflare has been doing is caching all that data, including credit cards+personal messages+full webpages people have accessed, that goes through them on webpages that you can literally find on a search engine. Even worse is that data that should be encrypted is there totally unprotected.

Gizmodo write-up provides a good explanation at the 'How' section.

Basically, all computer programs, from the data they work with to the code itself, reside in memory somewhere. Cloudflare's DDOS protection stuff would write website data to certain parts of memory. However, memory is obviously physical and thus limited. You can fill up/write to all available memory, and if you don't stop, who knows what you'll write over. Usually this would trigger the program to do something, like write somewhere else, throw an error, whatever. The check that the program did to tell whether it should stop writing to memory was faulty, so once it reached the limit of its allocated memory, it just kept writing data over whatever was there, basically putting random data from one source in completely unrelated locations.

Heartbleed was similar, in that a user would connect to a site, and instead of asking for the amount of data that made up that site, it would ask for some absurdly large number more, which, again, because the check was faulty or non-existent, would just spew back whatever was in memory after the desired site.

They had to make it public

Nope. The "7 day policy" could have easily been rescinded given the massive scale of the bug. They could have waited, if they were "not evil", but whatever. I don't see how the zero team making the exploit public had any advantage to anyone, whether openly being good for alphabet shareholders or general plebs like me and you? Can you explain?

Cloudflare letting their clients know is de-facto making it public. Cloudflare has a fuck-ton of clients. Anyone one of them could have leaked the exploit once they mass-emailed their clients. Also it would give any potential exploiters time for a final trawl. The exploit has been out there for months, who knows how many people have been taking advantage of it.

An exploit that allows people the ability to acquire personal info is one thing. An exploit that shits out personal info across the web like a shooting star is another. Mass-panic mode is kind've the best way to take care of this sort of thing ASAP. There's no real optimal solution here.

Your edit was my point.

That's so many vectors for the info to leak though that I don't think it would have made a difference.

I disagree. It would have made a massive difference. If you read the OP, the cloudflare CEO confirms that all major search engines including duckduckgo, bing, yandex and even the chinese state-controlled search engine baidu have cleared the cache upon their request without giving them hell or leaking stuff.

This is how most critical security issues are handled. You can't assume whatever you've read as leaked till now was all that was ever leaked.

In the OP, the first comment, by taviso himself, has examples of stuff they missed on bing. No way of knowing if all of those sites are now 100% scrubbed.

I'm aware most exploit posts stay private for longer. I think this is slightly different than your usual exploit. It was a bug that was doing bad things whether people wanted to exploit it maliciously or not. I'm not sure how much the quick release exacerbates the problem.

Maybe it's just that I instinctively trust taviso most of the time, idk.

Someone just added a controversy section to his wikipedia article with this

After finding a bug in Cloudflare's infrastructure[9] it was decided that Google would disclose the bug after 7 days, rather than the normal 90 days (which is still shown as the disclosure window in the project zero tracker)[10]. However in the end Google and Tavis then prematurely disclosed the bug after 6 days before leaked data could be cleaned up. The 7 day window is usually reserved for bugs that haven't been patched and are actively being exploited[11]. Cloudflare had previously patched the bug[9], but hadn't at the time of disclosure managed to co-ordinate the removal of data saved by search engines[12]. Leaked customer data was therefor publicly available on the Internet at the time of disclosure.

This is my point basically.

SHA-1 encryption has been practically broken

GTFO

wtf is that fake reddit

It's like reddit with no subreddits and a fixed set of topics that are on-topic, and Paul Graham is an admin so he can and does censor things that criticise him or his startup seed funding provider, Y Combinator. Pretty pointless IMO.

Thanks

On the other hand, the signal to noise ratio of people who know what they're talking about (on tech matters) is a lot higher than reddit.

The community is also full of stealth SJWs looking for ways to inject their nonsense into the discussion (they also have their own clone "lobste.rs", which I guess is analogous to Imzy or something). Which is kind of amusing when you consider some of Paul Graham's old essays.

stealth sjws

get a life lol

no u

pretty sure the thing about lobsters is that they only allow technical discussion, no politics or cultural topics permitted. unless things have changed a lot there.

I remember seeing some shit linked to me but it could have gotten fixed since, idk.

tbh most threads on there are showing off about how cle

It is not that much different. They just use more flamboyant words to say "fuck off retard".

It's just a reskin of /r/programmingcirclejerk

Hacker News predates reddit by a while. it's also populated by an audience with more smarm than all of reddit: Silicon Valley.

For non nerd faggots: A lot of websites use cloudfare.

Mostly for DDOS protection...

And inadvertently blocking websites from anyone using a VPN.

Does it filter out VPN or otherwise interfer with VPN usage? I always though TOR was what had problems with cloudflare sites, or am I thinking of captcha...

People buy cheap VPNs en masse to scrape the living shit out of websites, the entire block of IPs is then blocked.

A commercial VPN will have several people using the same apparent address, so you can get multiple requests to a site from the same IP, making it (incorrectly) look like bot activity.

It's not that bad on some sites, on some its terrible.

How does this affect anime?

Now everyone knows what hentai you look at.

Oh. Is that all? I was hoping for something that made everyone know where anime belongs.

Isn't that what facebook is for?

Pfft. Everyone on this train already knows that

animenewsnetwork.com may be affected so it may help us gas the weebs quicker.

Hahaha, Google takes down cloudflare. Apparently, cloudflare has been having a "beef" with Google for a long time. Reading through this, it seems to me that Travis was giggling to himself as he wrote all the stuff. It's pretty obvious if you read between the lines that he wanted to pit as many damaging info as possible to embarrass cloudflare. Travis even notified the cloudflare team on a Friday evening, on twitter, without tagging anyone lol.

Damn that is impressively petty.

Don't cross google. They probably have skynet by now and seeing as we're not living in a post apocalyptic wasteland, they must be controlling it!

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

read between the lines

i'm not disagreeing with you. I was just loling at how terrible Cloudflare fucked up.

I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.

Like, damn.

Google now knows all this in addition to everything they already know. But yeah cloudflare done fucked up real bad. There's no whitewashing this.

Hahaha, Google takes down cloudflare. Apparently, cloudflare has been having a "beef" with Google for a long time. Reading through this, it seems to me that Travis was giggling to himself as he wrote all the stuff. It's pretty obvious if you read between the lines that he wanted to pit as many damaging info as possible to embarrass cloudflare. Travis even notified the cloudflare team on a Friday evening, on twitter, without tagging anyone lol.

The idea of trusting another service to forward all my traffic protected or not always seemed hinky.