CDN’s are great. Seriously. They are a wonder of the modern age. You get your heavy lifting done by someone else, and they have offices around the globe. What is not to like? Oh – okay – so maybe if they start over sharing you find yourself with an issue. A very ugly issue.
It has recently transpired that one of the most accessible CDN services CloudFlare have experienced an issue with some of their customers and users. While the number of sites was relatively small – they were able to to deliver content from just about all of the other sites they host.
The content appeared as junk. Junk however that the more eagle eyed would have noted was IP addresses to and from, as well as fragments that would allow someone to possibly gain access through session data, keys, or just plain raw output.
So why is this important…. well… if you use CloudFlare, then you need to take this into account.
Most importantly possibly after securing yourself DISCLOSURE to any possibly effected parties if you are storing information about others depending on your compliance needs – for example Data Protection Act, and PCI Compliance.
What they are outlining is change your Salt lines in your wp-config.php , disclosure, and closer log analysis.
Others have plenty to say on this too:
ArsTechnica reports that the leaks were spotted by Google security researcher Tavis Ormandy.
We observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.
A Cloudflare blog post acknowledges that the issue was serious, but says there is no evidence of it having been exploited.
The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
Ormandy responded by writing:
[The company’s blog post] contains an excellent postmortem, but severely downplays the risk to customers.
Security researcher Ryan Lackey agrees, saying that while the likelihood of passwords being exposed is low, that risk does exist and that users are advised to change them.
While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet […]
The most sensitive information leaked is authentication information and credentials. A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced. From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords.
Next up you may wish to consider who their customers are… Uber, Fitbit, OKcupid – the list goes on. There is an outside chance your accounts may have been compromised.
This is by no means an end of days (in the same way as today came the inevitable two different documents with an SHA-1 signature that matched – researched again by Google)… but it both important, relevant, and food for thought. For me it is all about the follow up, the transparency, the how it is announced, and dealt with… the lack of cover up… things do go wrong, and bad things to good people.
Go change that salt (to log out existing users getting in with session data or encrypted passwords) if you use WP with CloudFlare, or any CDN for that matter (as they are simply the ones in the spotlight and open about it) … and stop for a while and think about what you would leak, or lose, if your site were compromised, defaced, or deleted in it’s entirety.
Patch. Backup. Compliance.
Then go make a brew and rejoice – for it is Friday, and what is done… is done. It’s now time to make good.
If you want to discuss the implications of this, or any other service we provide – get in touch.