CLOUDFUCKED

From what I understand, if the post submissions go through a cloudflare server it could have been leaking the associated IP addresses.

they're doing MITM on every site they host. WHAT COULD GO WRONG!?!?

PS: Even Sup Forums is using that fucking garbage and they're endangering everyone who purchases passes. HIRO, ditch that shit please!

Cloudflare was hacked once solely to vandalize Sup Forums.

this.

If people are going to use this shit, they should at least send encrypted blobs since TLS isn't going to save you here.

Those niggers also block Tor

This is why I don't use Cloudflare.

So you knew the bug existed? Could have reported it then.

Good. Fuck Cloudflare.

Have you ever tried to work with them to identify and stop a spammer or a scam site? They are fucking assholes. I hope something big happens with this security breach, big enough to ruin their entire fucking company and close their doors.

No, thanks. I don't want to deal with that circus.
Protip: Don't use AES.

So what popular sites use cloudflare? Outside of uber and fitbit.

>1Password
Feels good for not falling for the cloud password storage meme.

so you're mad at them for not handing over customers private info to any retard that asks?

i use cloudflare, it saves a lot of money on bandwidth and makes your ss much faster by hosting them on cdns all over the world for free

>b but it had a bug
so did every other piece of software ever made..

>a Cloudflare-hosted site
like what

They're more common than you might realize. I almost always browse via Tor, and I run into their bullshit all the time. I don't remember on what specific sites though.

cloudfag please go

> Good
you realize that all your Sup Forums posts are potentially sitting around the internet now with your IP address attached right

I posted this a few days ago. Had a feeling it would be bad, didn't think it would be this bad ><

Based fucking Tavis

>NOTE: Sup Forums USES CLOUDFLARE.
Sup Forums is the least relevant site that uses NSACloud, literally almost all of the rest of the internet uses it
Time to change all my passwords, again
>purchasing passes
TOPFUCKINGKEK
Anyways, jewt implemented the CDN in his retardation
They will never close their doors, they're a NSA asset
Literally everything that isn't Facebook, Google and Amazon, with a few exceptions of people who use other CDN's
Yeah I remember this
Unfortunately Cloudflare is an NSA asset so he won't get the publicity he deserves

you now realise the ddos attacks and the new tech to end it all.

problem reaction solution

nsa way

fuck you cloud!

>so you're mad at them for not handing over customers private info to any retard that asks?
They don't and over PUBLIC CONTACT INFORMATION when provided with HARD EVIDENCE.

Fuck them.

>i use cloudflare, it saves a lot of money on bandwidth and makes your ss much faster by hosting them on cdns all over the world for free
Hope your customer data is retrieved from caches and you get fucked over for using a shit service.

official logo!

Passwords should be hashed though if your website is not shit.

Are you fucking retarded? This leaked data comes from the web server, before any kind of hashing can be applied.

this is leaking POST requests dude

I thought data gets encrypted with HTTPS before it travels over the internet. So Cloudflare being a man in the middle should just be transporting garbage to their client who decrypts it with their private key.

I don't know nothing about this crap, but I would have assumed that common practice would be to hash passwords locally before even sending them over the internet.

cloudflare MITM all their clients, that's literally how their service works

more like everything

"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

Cloudflare decrypts stuff, check any site that uses cloudflare and you will find that the certificate is issued to them
They (((need))) your SSL certificate to work, they're a massive NSA op
It is what should be done but there's a shitton of sites run by literal retards who will send plaintext passwords
Even a lot of banking sites are like this

That would defeat the point of hashing at all, you would instead leak the hash and use that as a password (pass the hash)

WHAT THE FUCK

Is there a list of websites that use Cloudflare that isn't hidden behind some sort of registration screen?

No you're dumb. The cert is issued to cloudflare, they decrypt your data. If you don't know how to check certs, stop posting.

Who cares, senpai. We have archives

Shouldn't passwords be hashed client-side before they're transported over the internet so "password" becomes "UxFMf1Nz9H5ggjTyiQB1"? Then if the website gets hacked they only found your username associated with "UxFMf1Nz9H5ggjTyiQB1" and don't know the password you use for every other login on the internet.

It would at least protect you across websites.

What should be done is sending everything through HTTPS, but in this case it doesn't prevent the password from leaking due to the way Cloudflare works.

Some call me the meme master.

No, I think that was because Hiro was being dumb as per usual.

No, because then an attacker can grab that "UxFMf1Nz9H5ggjTyiQB1" and send that to the server instead, that hash becomes your new password. Passwords need to be sent as plaintext over HTTPS and hashed (using a proper algorithm) after being received by the server.

Can I bypass Cuckflare and access Sup Forums directly?

Time to stop using the internet and burn all my technology.

It's been fun.

blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

>The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

I can't even match 1 number on a Powerball ticket. I like my odds.

>Any passwords you have EVER sent to a Cloudflare-hosted site might show up in some other random page somewhere on the internet.
>NOTE: Sup Forums USES CLOUDFLARE.
I dont normally use a password on Sup Forums. I usually use the name Anonymous.

they don't tell you what their rate of http requests a day is because it would indicate a much larger leak of data

I can't find one.
I'm checking my sites by doing traceroute.

If there is a data dump they could be post you made linking your IP to post about lolis.

I dont like loli's
Idgaf.

So is there a complete list of sites affected?

>full messages from a well-known chat service
Discord fags btfo.

We are not yet at 50 percent for human internet access.

> Some of this data was cached publicly in search engines such as Google
If big brother is not watching you fap at least you can trust he is recording everything for a later private viewing.

So have they fixed this issue as of now? Is it time to change all our passwords and shit?

>I don't know nothing about this crap
Basically Sup Forums summed up in one statement minus the double negative.

github.com/pirate/sites-using-cloudflare

Cloudkeks get btfo again

It's fixed, but the damage is fucking done, and its big time.

>Cloudflare has over 2 million websites on its network, and data from any of these is potentially exposed.
Yeah just assume everything is compromised and change all passwords.

How do I tell if a site uses cloudflare?

>The underlying bug occurs because of a C pointer error.
No shit.
Seriously C should be banned. There is not a single human being that can write safe code with it.

technically this was a thing that was compiling some other language to C, not a human being

Well fuck me. Guess all I can do is change my passwords and emails and hope for the best.

>batoto
>myanimelist
>exhentai
Do any of these us it?

The point stands. No human being nor AI nor compiler can write safe C code. If it is in C assume there are multiple exploitable bugs.

>Sup Forums uses Cloudflare
Passfags btfo, I hope they stored CC data too.

Here's some leaked info from google cache.
CF-RAY: 330b1fe65c1554ec
FL-Server: 14f83
Host: android-cdn-api.fitbit.com
X-Real-IP: 66.87.114.20
Accept-Encoding: gzip
Client-Accept-Encoding: gzip
X-Forwarded-Proto: https
Connect-Via-Https: on
Connect-Via-Port: 443
Connect-Via-IP: 104.16.66.50
Connect-Via-Host: android-cdn-api.fitbit.com
CF-Visitor: {"scheme":"https"}
CF-Host-Origin-IP: 169.45.146.53
Zone-ID: 12365029
Owner-ID: 1802353
CF-Int-Brand-ID: 100
Zone-Name: fitbit.com
Connection: Keep-Alive
X-SSL-Protocol: TLSv1.2
X-SSL-Cipher: ECDHE-RSA-AES128-GCM-SHA256
X-SSL-Server-Name: android-cdn-api.fitbit.com
X-SSL-Session-Reused: .
X-SSL-Server-IP: 104.16.66.50
X-SSL-Connection-ID: b063de36beb6b311-ORD
X-SPDY-Protocol: h2
accept-locale: en_US
authorization: OAuth oauth_consumer_key="6555db3a89a5462599265b2be993da83", oauth_nonce="-3146584597770689780", oauth_signature="j7Mir6p9CtVuG2CfTrD%2BmqljTGc%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1487018732", oauth_token="3099b2b2de2c56645e90f51a3bf9890e", oauth_version="1.0"
user-agent: Dalvik/2.1.0 (Linux; U; Android 6.0; LGLS770 Build/MRA58K; Scale/2.00; supportsImages={webp};)
x-app-version: 2183087
if-none-match: 912a949f
CF-Use-OB: 0
Set-Expires-TTL: 14400
CF-Cache-Max-File-Size: 512m
Set-SSL-Name: android-cdn-api.fitbit.com
CF-Cache-Level: byc
CF-Unbuffered-Upload: 0
Set-SSL-Client-Cert: 0
Set-Limit-Conn-Cache-Host: 50000
CF-WAN-RG5: 0
CF-Brand-Name: cloudflare
CF-Age-Header-Enabled: 0
CF-Respect-Strong-Etag: 0
Set-Proxy-Read-Timeout: 100
Set-Proxy-Send-Timeout: 30
CF-Connecting-IP: 66.87.114.20
Set-Proxy-Connect-Timeout: 90
Set-Cache-Bypass: 0
Set-SSL-Verify: 1
CF-Force-Miss-TS: 0
Set-Buffering: 0
CF-Pref-OB: 0
Set-Keepalive: 1
CF-Pref-Geoloc: 1
CF-Use-BYC: 0
CF-IPCountry: US
CF-IPType: NR

It was a service called swipe or something that pops up.

Interesting. Besides the ip details is there a way to extract more information out of this? I'd like to see how exposed it is.
Captcha: pepe impacto

it's already been fixed & my site doesn't have any sensitive information. it's just a porn site

Fuck cloudflare. NSA operation.

DDoS sites until they join you, then spy on all their HTTPS traffic because they hand their cert over to you.

How many bitcoin sites were just drained because you can google cache search and grab passwords. Search for "CF-Host-Origin-IP" and "authorization" in jewggle, receive a shitload of passwords.

Jewggle is going to have nuke their entire cache

Fucking NSAflare. For years they were called out by cryptographers and 'security industry' for how they handled 0day by making a marketing site about it and just dumping the information after warning only their biggest customers.

Forgive my ignorance, but where would that data appear?
Like, in the html source of the page?
Where would one look to find those leaks?

Access, or reliable/consistent access? I thought even third-worlders had access via cafes. Isn't WhatsApp super popular in Africa?

>The accident corrurs because of a car.
No shit.
Seriously cars should be banned. There is not a single human being that can drive safely.

Search engine caches (which they explicitly mention are already mostly purged), Archive.org, maybe proxies that aggressively cache?

No, I meant, assuming someone gave me one of those pages that received the leaks, where would the leaked data be in that page?

It's transmitted in the body of the response to the client, so, yes, in the HTML source

They've barely purged it, there's cross cache contamination going on everywhere with leaked OAuth tokens galore for the taking still.

The #1 problem is of course Baidu with their Chinese government overseers likely fully raping the cache, plus the NSA runs it's own http cache as per Snowden leaks since years ago. Almost everything on the internet caches http so this leak is huge.

7 million+ sites so far github.com/pirate/sites-using-cloudflare

Ah, thank you

I wonder if any tripfag tripcodes got leaked.

This bug was caused by parsing. Parsing html in C or using regex is the stupidest thing you can ever do in Cloudflare's official writeup is also missing plenty of details, they are blaming all of this on some ancient parser generating a pointer error but fail to mention they used fucking malloc and didn't zero unit memory, so that memory was full of data still and leaked, actually sprayed all over the internet in every single cache.

People who run major caches:
- all universities
- all Fortune 500 companies
- NSA/GCHQ ect
- Jewggle, FB, MS, Baidu, duckduckgo, about a thousand other search engines

This will be fully cleaned up in about 2 years from now probably. On the project0 blog they found entire chats, adult video frames and even financial transactions.

I have a caching proxy on my router ffs

>github.com/pirate/sites-using-cloudflare
apparently not

Also, Discord was the biggest leak for some reason Discord logins and chats have been sprayed everywhere in cache history.

Apparently even if they zero'd after free like GrSecurity/Pax-Sanitize works this bug would still happen sincein addition to bad C programming practices, a pointer error was barfing out random arrays.

that list is not yet complete, still stuff being added.

most of the internet used cloudflare because they are NSA partners and helpfully offered a free tier DDoS protection (likely after ddosing you)

The list is full of garbage sites

I only get one page of results, and most of those don't have cached copies available. I think Google is disabling their cached copies for any page that seems to have this vulnerability. I tried Bing and got the same result.

>online password manager data
Does this mean the pasword manager used cloudflare?

...