Logo

DOSarrest Vulnerability Testing and Optimization
Navigation
  • Home

Cloudflare bug exposes customer data

on February 28, 2017 |
DDoS DDoS Attack Specialist DDoS Defense DDoS Protection Specialist Stop DDoS

Cloudflare, a serviced used by more than 5.5 million websites, may have leaked passwords and authentication tokens due to a bug in an HTML parser chain.

Cloudflare uses this parser chain to modify webpages as they pass through the service’s edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating e-mail addresses, and excluding parts of a page from malicious Web bots.

The leakage may have been active since September 22, 2016 nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18, 2017, according to Ars Technica.

Furthermore, Google and other search engines cached some of the highly sensitive data that was leaked. Cloudflare researchers have identified 770 unique URIs that contained leaked memory and were cached by Google, Bing, Yahoo, or other search engines. The 770 unique URIs covered 161 unique domains.

Therefore, for the entire time the bug was active, hackers had the ability to access the data in real-time by making Web requests to affected websites and to access some of the leaked data later by crafting queries on search engines.

Security engineers have already disabled e-mail obfuscation, and identified and fixed the underlying bug in the HTML parser.

Commenting on this, David Berman, CipherCloud said “Third-party data leak risk is a constant concern for consumer facing businesses and enterprises. And while most third-party providers support best practices like SSL for data-in-transit and data-at-rest encryption for storage, a huge gap exists for “data in use” including sensitive information like PII, IP addresses, keys, tokens and passwords. “

Source: http://www.thepaypers.com/default/cloudflare-bug-exposes-customer-data/768132-0?utm_campaign=Feed%3A%2Bthepaypers%2FcfKW%2B%28The%2BPaypers%2BHeadlines%29&utm_medium=feed&utm_source=feedburner

Share this story:
  • tweet

Recent Posts

  • Link11 Discovers Record Number of DDoS Attacks in First Half of 2021

    July 15, 2021 - 0 Comment
  • A New Wave of DDoS Extortion Campaigns by Fancy Lazarus

    June 16, 2021 - 0 Comment
  • ‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts

    June 12, 2021 - 0 Comment
Comments are closed.
DOSarrest ad

Keep updated with the latest DDoS Attacks

RSSSubscribe
  • Home
  • Latest News
  • Contact
  • Sitemap
© Copyright 2013. All Rights Reserved. Web Development by: 6folds Marketing