Tavis Ormandy, a security researcher at Google, spotted the breach and found encryption keys, cookies, passwords and HTTPS requests in public caches. He contacted Clouldflare, which then began to work to identify and stop the issue, which came down to a typo in the code that caused a buffer overrun. In its public statement, Cloudflare added that it held off on disclosing the issue until it had ensured that search engine caches had been cleared of any personal data.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
If you’re worried about how this affects you — and it probably does — then it’s time to change your passwords for everything. There’s a full list of directly affected sites available here, although it’s probably wise to change all of your security keys, since you never know what data has leaked to where. Additionally, 1Password, which uses Cloudflare for hosting, has come out publicly to reassure customers that their data remains secure.
No comments:
Post a Comment