1. News
February 24, 2017

What happened at Cloudflare and how bad is the hack?

By Billy

Firstly, to call it a hack is probably wrong. But there are some big name websites that are known to use Cloudflare’s services and probably some use it that we don’t know about yet.

Cloudflare hosts Uber, OK Cupid, and Fitbit, among thousands of others.

Due to the nature of Cloudflare’s services it works with a lot of the internet underworld, in addition to some big mainstream names.

A lot of the most popular sites affected host pornography and provide bitcoin services.

Scroll down for a full list of some of the biggest sites to be affected

Cloudflare sits between websites and internet users to help companies spread their websites and protect against DDoS attacks. This means Cloudflare handles a lot of traffic and sees a lot of information pass through its digital doors.

A Cloudflare update around September is thought to be the source of the breach. It meant that passwords, cookies, and authentication tokens intended for one website are being returned to others unencrypted.

If you visited a website that uses Cloudflare you may have ended up getting chunks of someone else’s web traffic hidden in your browser page.

This data then made its way into the Google cache of pages and the hands of any potentially nefarious bots trawling the web, compounding the problem.

Over at tech news site The Register it was compared to “sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you’re also handed the contents of the previous diner’s wallet or purse”.

Due to the size of Cloudflare’s client base this is a big problem and will leave a huge percentage of the internet compromised. How much exactly is still not known. One company chief tech officer described the breach as “the worst I’ve ever seen”.

People are being advised to check all password managers and change all passwords, especially those used on these affected sites.

When was this discovered?

It was discovered a week ago by a Google researcher at the search giant’s Project Zero security team entirely by accident while he was looking through some search results.

He reached out on Twitter.

He then told Cloudflare so the company would have a chance to react before the bug was made public, as is standard practise when these things are discovered.

Cloudflare delayed — presumably to get a handle on the situation to try and take care of it underwraps and avoid the bad PR –  until Google forced their hand.

Notable sites that are known to use Cloudflare:

(via github)

  • authy.com

  • coinbase.com

  • betterment.com

  • transferwise.com

  • prosper.com

  • digitalocean.com

  • patreon.com

  • bitpay.com

  • news.ycombinator.com

  • producthunt.com

  • medium.com

  • 4chan.org

  • yelp.com

  • okcupid.com

  • zendesk.com

  • uber.com

  • namecheap.com

  • poloniex.com

  • localbitcoins.com

  • kraken.com

  • 23andme.com

  • curse.com (and some other Curse sites like minecraftforum.net)

  • counsyl.com

  • stackoverflow.com (not affected)

  • fastmail.com (not affected)

  • 1password.com (not affected)

Topics in this article: , , ,