[HN] Cloudflare Reverse Proxies Are Dumping Uninitialized Memory
John Newman
jnn at synfin.org
Thu Feb 23 19:14:40 PST 2017
> On Feb 23, 2017, at 10:06 PM, Mirimir <mirimir at riseup.net> wrote:
>
> So tptacek's comment summarizes it well:
>
> | Oh, my god.
> |
> | Read the whole event log.
> |
> | If you were behind Cloudflare and it was proxying sensitive data
> | (the contents of HTTP POSTs, &c), they've potentially been spraying
> | it into caches all across the Internet; it was so bad that Tavis
> | found it by accident just looking through Google search results.
> |
> | The crazy thing here is that the Project Zero people were joking
> | last night about a disclosure that was going to keep everyone at
> | work late today. And, this morning, Google announced the SHA-1
> | collision, which everyone (including the insiders who leaked that
> | the SHA-1 collision was coming) thought was the big announcement.
> |
> | Nope. A SHA-1 collision, it turns out, is the minor security news
> | of the day.
> |
> | This is approximately as bad as it ever gets. A significant number
> | of companies probably need to compose customer notifications; it's,
> | at this point, very difficult to rule out unauthorized disclosure
> | of anything that traversed Cloudflare.
>
> https://news.ycombinator.com/item?id=13718752
>
Holy shit!
Ars has a write up
https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2210 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20170223/cb7643fe/attachment.txt>
More information about the cypherpunks
mailing list