Jump to content

Falha no cloudflare expôs dados de usuários de mais de 120.000 sites


Jeansunzark
 Share

Recommended Posts

3 minutos atrás, Jeansunzark disse:

Recebi um comunicado oficial informando que aproximadamente 150 clientes foram atingidos.

Citar

Dear Cloudflare Customer:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO

 

 

Link to comment
Share on other sites

Só é triste ver que o CloudFlare não faz gestão constante de sua própria e única plataforma. Vez ou outra é encontrado um bug de segurança nos serviços do Google, bem como nos do Facebook. Toda via, estes ao menos possuem ou não desculpa por terem vários centenas de aplicativos e serviços sobre sua coordenação.

Uma empresa responsável por uma quantia gigantesca de usuários, deveria adotar políticas preventivas de segurança. Como exemplo, pode ser citado as políticas de "maratona hacker" do Google e prêmios dados pelo Facebook para quem acha bugs. Parecem iniciativas simples, mas que juntas colaboram para uma internet mais segura.

Link to comment
Share on other sites

5 hours ago, Baris Host said:

Só é triste ver que o CloudFlare não faz gestão constante de sua própria e única plataforma. Vez ou outra é encontrado um bug de segurança nos serviços do Google, bem como nos do Facebook. Toda via, estes ao menos possuem ou não desculpa por terem vários centenas de aplicativos e serviços sobre sua coordenação.

Uma empresa responsável por uma quantia gigantesca de usuários, deveria adotar políticas preventivas de segurança. Como exemplo, pode ser citado as políticas de "maratona hacker" do Google e prêmios dados pelo Facebook para quem acha bugs. Parecem iniciativas simples, mas que juntas colaboram para uma internet mais segura.

As iniciativas internas da CloudFlare na área de segurança são muito boas, IMHO. Quanto a Bug Bounty, esse é um tema bem polêmico e mesmo entre as empresas com dinheiro infinito há discordância de se ter ou não, ou em tendo como gerar, esse tipo de programa. E mesmo ter, não garante que não haja um 0-day por aí... 

... a CloudFlare especialmente sofre muita pressão de países autoritários por causa de conteúdos que ficam na rede dela, e esses países tem investido bastante em desenvolver ou comprar vulnerabilidades. Não dá para descartar correlação com esse tipo de questão política. 



 

Link to comment
Share on other sites

On February 23, Cloudflare announced a bug that caused certain traffic sent through their servers to leak from memory, potentially exposing sensitive data. MaxMind is a Cloudflare customer and uses their content delivery network for our primary website, GeoIP2 Precision JavaScript service, and GeoIP/GeoLite database download servers.

This means that if you interacted with the MaxMind website, used the GeoIP2 Precision JavaScript API, or downloaded a database from us between September 22, 2016 and February 18, 2017, the associated activity could have leaked and been compromised. This includes usernames and passwords, license keys, and IP addresses for the website and database downloads and referrers and client IPs for the GeoIP2 Precision JavaScript API.

As a precaution, we recommend that you login to your MaxMind account as soon as possible and change your password.

Cloudflare has informed us that they have no evidence that MaxMind data leaked into third-party caches. We also have no evidence that any MaxMind accounts were compromised, and traffic to our minFraud and GeoIP web services was unaffected as these services do not use Cloudflare servers. We are continuing to monitor the situation for any updates.

You can read more about the Cloudflare bug on TechCrunch. Please get in touch with any questions.

Regards,
MaxMind

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...