Massive security/data breach online (change your passwords)

[averagejoe]

Basically you will want to be changing your passwords for everything right now just to be safe.

https://www.theregister.co.uk/2017/0...personal_data/

List of possibly affected sites: https://github.com/pirate/sites-usin...ster/README.md


Part of the article.

Quote:

Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug
Heartbleed-style classic buffer overrun blunder strikes in 2017

Big-name websites leaked people's private session keys and personal information into strangers' browsers, due to a Cloudflare bug uncovered by Google researchers.

As we'll see, a single character – '>' rather than '=' – in Cloudflare's software source code sparked the security blunder.

Cloudflare helps companies spread their websites and online services across the internet. Due to a programming blunder, for several months Cloudflare's systems slipped random chunks of server memory into webpages, under certain circumstances. That means if you visited a website powered by Cloudflare, you may have ended up getting chunks of someone else's web traffic hidden in your browser page.

For example, Cloudflare hosts Uber, OK Cupid, and Fitbit, among thousands of others. It was discovered that visiting any site hosted by Cloudflare would sometimes cough up sensitive information from strangers' Uber, OK Cupid, and Fitbit sessions. Think of it as sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you're also handed the contents of the previous diner's wallet or purse.

This leak was triggered when webpages had a particular combination of unbalanced HTML tags, which confused Cloudflare's proxy servers and caused them to spit out data belonging to other people – even if that data was protected by HTTPS.

Normally, this injected information would have gone unnoticed, hidden away in the webpage source, but the leak was noticed by security researchers – and the escaped data made its way into the Google cache and the hands of other bots trawling the web.
Timeline

The blunder was first spotted by Tavis Ormandy, the British bug hunter at Google's Project Zero security team, when he was working on a side project last week. He found large chunks of data including session and API keys, cookies and passwords in cached pages crawled by the Google search engine. These keys can be used to log into services as someone else.

"The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean up," he said today in an advisory explaining the issue.

"I've informed Cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

Ormandy said that the Google team worked quickly to clear any private information and that Cloudflare assembled a team to deal with it. He provisionally identified the source of the leaks as Cloudflare's ScrapeShield application, which is designed to stop bots copying information from websites wholesale, but it turns out the problems ran deeper than that.

[midgetwaiter]

Quote:

Originally Posted by averagejoe

Basically you will want to be changing your passwords for everything right now just to be safe.

https://www.theregister.co.uk/2017/0...personal_data/

List of possibly affected sites: https://github.com/pirate/sites-usin...ster/README.md


Part of the article.

For the people wondering "What's a Cloudflare"?

Cloudflare provides a bunch of services to help web companies increase reliability and performance for websites. This can include geographic content delivery, DDOS protection, Dynamic DNS resolution and much more.

So for example if I go to www.mycorp.com in my internet browser and they are using CloudFlare's content delivery network it will provide images and such for the website from a cache server physically closer to me in order to improve response times. It's a very handy service.

However this also means that you have been using a lot of Cloudflare services and probably never realized it because it is a more or less invisible layer between you and the website you are viewing. The nature of this flaw makes it difficult to predict what kind of information could leak so it's reasonable to assume the worst case. If there is a service you use in that list definitely change your password.

[averagejoe]

Quote:

Originally Posted by midgetwaiter

For the people wondering "What's a Cloudflare"?

Cloudflare provides a bunch of services to help web companies increase reliability and performance for websites. This can include geographic content delivery, DDOS protection, Dynamic DNS resolution and much more.

So for example if I go to www.mycorp.com in my internet browser and they are using CloudFlare's content delivery network it will provide images and such for the website from a cache server physically closer to me in order to improve response times. It's a very handy service.

However this also means that you have been using a lot of Cloudflare services and probably never realized it because it is a more or less invisible layer between you and the website you are viewing. The nature of this flaw makes it difficult to predict what kind of information could leak so it's reasonable to assume the worst case. If there is a service you use in that list definitely change your password.

Pretty much. At last count there are about 4.2 MILLION possibly affected websites. Safe to say it would just be easier to change every password you have especially if it is one you use in other places.

[goldscud]

Tangerine banking has been hit