Loading...
> >

Cloudflare data leak

firewardenfirewarden Posts: 1,488
edited February 2017 in The Commons

I use Wordfence to protect my websites; they put out a warning about Cloudflare in the wee hours of this morning. It affects all Cloudflare websites and their customers. 

The post is really long with good details and I'd include it here, except for the length. I've also emailed this info to support @ DAZ.

From: Wordfence [mailto:[email protected]] On Behalf Of Wordfence
Sent: Friday, February 24, 2017 12:37 AM
To: 
Subject: [WordPress Security] Wide Impact: Cloudflare Data Leak. How to Secure your Site.

 

This is an unscheduled announcement that we are sending this evening to address an urgent issue which became public a few hours ago. There has been a serious data leak that affects all Cloudflare customer websites and their site visitors. 

 

It was just announced that for the past 5 months, in certain cases sensitive data being sent from a Cloudflare customer website to a site visitor has been mixed with data being sent to visitors of completely different websites.

 

This issue was reported to Cloudflare last Saturday by a Google researcher. They have been working frantically since then to fix it. 

 

This data leak was announced several hours ago on the Google Project Zero mailing list and on the Cloudflare blog. Some of the leaked data has been indexed by search engines who have been working to scrub the data from their caches. 

 

To help explain the issue and help you secure your website, we have published details of what occurred and how to secure your website in case you have been affected by this data leak.

 

You can find the full post on our blog....

 

Regards,

 

Mark Maunder 

Wordfence Founder & CEO

 
Post edited by DAZ_ann0314 on

Comments

  • Ghosty12Ghosty12 Posts: 2,080

    Thanks for the info though it may be too late, after reading this and to be safe I decided to delete my ccard info off the site..

  • firewardenfirewarden Posts: 1,488
    edited February 2017

    The same here. It also makes me wonder how I can identify other Cloudflare websites I'm using, since I've had one of my credit cards stolen twice in the last few months. Luckily, the company whose card it was caught it quickly and called us, and let us invalidate the bad charges while we were on the phone with them. Sorry, to be clear, not saying it was through DAZ... I'd just like all my credit card info deleted from all Cloudflare sites until this is corrected. Or maybe I should just go back to using nothing but PayPal or something.... 

    Post edited by firewarden on
  • AtiAti Posts: 9,185
    edited February 2017
    firewarden said:

    It also makes me wonder how I can identify other Cloudflare websites I'm using

    Type the base domain of the site, followed by /cdn-cgi/trace

    So, for example http://daz3d.com/cdn-cgi/trace

    If it's a couldflare site, this will give you some cloudflare details, such as which cloudflare server you are using, etc.

    Some people might think it's funny to create a page like this even if they are not using cloudflare, so this method is not 100%, but works most of the time.

    Post edited by Ati on
  • BeeMKayBeeMKay Posts: 7,019

    From reddit (bold done by me):

    "[..] but there is really bad info going around that changing your password is a fix.

    Cloudflare actually doesn't cache passwords. What was actually being leaked was cookies and authentication tokens

    What really needs to be done on affected sites is completely logging out EVERYWHERE you're logged in and then re-login.that will generate a new token.

    Changing your password will not in most cases. Basically, if a site doesn't make you re-login after you change your password, the token isn't refreshed/replaced. Reddit is in that camp. So, if Reddit WAS using Cloudflare, changing passwords wouldn't have actually fixed the issue."

    https://www.reddit.com/r/india/comments/5vwfef/psa_please_change_your_reddit_and_discord/

  • firewardenfirewarden Posts: 1,488
    Ati said:
    firewarden said:

    It also makes me wonder how I can identify other Cloudflare websites I'm using

    Type the base domain of the site, followed by /cdn-cgi/trace

    So, for example http://daz3d.com/cdn-cgi/trace

    If it's a couldflare site, this will give you some cloudflare details, such as which cloudflare server you are using, etc.

    Some people might think it's funny to create a page like this even if they are not using cloudflare, so this method is not 100%, but works most of the time.

    Thanks!

  • McGyverMcGyver Posts: 7,085

    This sounds like something that customers should be notified about...?

    Other than accidentally noticing it on forums...

     

  • BeeMKayBeeMKay Posts: 7,019
    edited February 2017
    McGyver said:

    This sounds like something that customers should be notified about...?

    Other than accidentally noticing it on forums...

     

    From what I've read so far, the best rememdy is logging in and out, and by that renew the cookie/token. The DAZ site is kicking me off regularly anyway, so...

    Post edited by BeeMKay on
  • DAZ_ann0314DAZ_ann0314 Posts: 2,883

    We are locking this thread as, in the absence of information, it will be hard to have a productive discussion on the topic. We have sent the details on to Daz to request an official response as to how, if at all, this affects the site. Thank you for your patience

  • DAZ_Thai_AdminDAZ_Thai_Admin Posts: 85

    Daz 3D has been in communication with Cloudflare regarding their data leak. Cloudflare has confirmed which site owners had web requests that were impacted by this bug. According to Cloudflare, the leak affected 770 page requests (out of roughly 2.5 billion) on 161 domains. None of those domains were any that Daz 3D proxies through them. 

This discussion has been closed.