1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New threat called Cloudbleed

Discussion in 'BlackHat Lounge' started by Mrnewbie, Feb 24, 2017.

  1. Mrnewbie

    Mrnewbie Jr. VIP Jr. VIP Premium Member

    Mar 8, 2009
    Likes Received:
    Here is the link to the story

    Uber, Fitbit, OkCupid info exposed by wide-reaching flaw

    A bug affecting 3,400 websites leaked data, including usernames, passwords and messages sent by users.

    Usernames and passwords leaked onto the open internet earlier this month because of a security bug that affected 3,400 websites, including popular services like Uber, Fitbit and OkCupid.

    You wouldn't mind if someone could break into the personal accounts you use to track your movements, your fitness and your love life, would you?

    While there's no indication that hackers actually accessed usernames and passwords, or a wealth of other private data that people sent over the services, the information was exposed both on corrupted versions of the websites and in cached results on search services like Google and Bing.

    "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," John Graham-Cumming, chief technical officer of cybersecurity company Cloudflare, wrote Thursday in a blog post detailing the flaw.

    Google security researcher Tavis Ormandy identified the flaw and brought it to Cloudflare's attention late last week. In his report about the bug, which also became public Thursday, Ormandy said he found "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings."

    The flaw originated in a widely used tool provided by Cloudflare that was meant to help manage and protect internet traffic for the affected websites. In addition to usernames and passwords, messages sent over any of these platforms -- and any other information sent via web browser to the affected sites -- could have been exposed.

    Graham-Cumming said 3,400 total websites were using the tool that contained the flaw and confirmed that Uber, Fitbit and OkCupid were among those affected. He declined to name any other services that might have had user data leak due to the problem.

    Uber said that passwords were not exposed and that "only a handful of session tokens" were affected and have since been changed. Fitbit said it is still assessing any potential impact on its users from the Cloudfare issue.

    "Concerned users can change their account password, followed by logging out and in to the mobile application with the new password," the company said in a statement.

    OkCupid also has been looking into the matter and like the others said it would take any necessary steps to protect its users. "Our initial investigation has revealed minimal, if any, exposure," said CEO Elie Seidman.

    A trickle of data, and then a surge
    The flaw is now fixed and the leaked information has been purged from search engines, meaning it's no longer exposed on the internet. After Ormandy notified Cloudflare, the company set up a team to fix the problem in a matter of hours. The flaw has been resolved since Saturday.

    The information was exposed in bits and pieces as users interacted with the affected websites starting in September. The leak peaked in the week of Feb. 13-17, Graham-Cumming said in an interview. The information would appear on the webpage in a seeming string of nonsense, which users would likely not know how to interpret, he said. The data leakage was "ephemeral" because it would disappear the second a user closed the web page.

    More worryingly, though, the leaked information was also cached by search engines like Google and Bing as they crawled the web and encountered the corrupted web pages.

    After fixing the flaw, Cloudflare focused on erasing any trace of the leaked information from the internet. That meant working with search engines to purge the cached records of the corrupted webpages.

    What's the danger?
    Graham-Cumming said users don't need to worry about changing their passwords, because there's a very low chance that their login information was found by someone who knew where to look for it.

    However, in his report on the bug, Google researcher Ormandy said Cloudflare's disclosure "severely downplays the risk to [Cloudflare] customers." Ormandy was referring to a draft of the disclosure he saw before Cloudflare went public with the news on Thursday.

    It's not clear whether Ormandy thinks end-user information is more vulnerable than Cloudflare is saying. Ormandy did not respond to questions about whether users of the affected websites should change their passwords or if they should be concerned about any other pieces of information that could have been exposed.
  2. Sherb

    Sherb Jr. Executive VIP Jr. VIP

    Dec 26, 2010
    Likes Received:
    Wanna chat? Hit me up at
    [email protected]
    More digital fearmongering.

    Takeaway: "users don't need to worry about changing their passwords, because there's a very low chance that their login information was found by someone who knew where to look for it."

    I remember when sites would keep this shit to themselves, check to make sure there was no actual data breach, quietly fix the issue, and deal with any minor backlash.

    But everything's gotta be a breaking story nowadays.
    • Thanks Thanks x 2
  3. Skyebug77

    Skyebug77 Jr. VIP Jr. VIP

    Mar 22, 2012
    Likes Received:
    The announcement wasnt made until after they fixed the bug though.
  4. redpanty

    redpanty Junior Member

    Aug 31, 2016
    Likes Received:
    glad the bug is already fixed
  5. HydesGarage

    HydesGarage Newbie

    Jan 10, 2017
    Likes Received:
    any alternatives? to CF
  6. Capo Dei Capi

    Capo Dei Capi BANNED BANNED

    Oct 23, 2014
    Likes Received:
    This page lists a few alternatives.

    • Thanks Thanks x 3
  7. SlashNineteen

    SlashNineteen Newbie

    Apr 2, 2015
    Likes Received:
    IP Address Broker
    United States
    Home Page:
    This will wind up being farther reaching than is currently implied