February 19th, 2017, Tavis Ormandy, a researcher with Google’s Project Zero (an elite team tasked with finding zero-day vulnerabilities), came across sensitive data leakage from websites using Cloudflare services. Cloudflare is a huge, multi-billion-dollar company that provides a variety of web hosting services to over 5 million sites for such companies as Fitbit, Yelp, Uber, OKCupid, Zendesk, 23 and Me and many more. (Uber has released a statement that said after investigation, they have concluded that no passwords were breached.)
So what happened? According to ArsTechnica.com, Private session keys and other sensitive information was released into public view due to a flaw in the Cloudflare infrastructure products. “ CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.”
According to Tavis Ormandy…
"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."
In fact, even if you don’t use Cloudflare’s services, but visit a site that does, your interactions could have been compromised. This vulnerability not only affects websites but mobile apps as well.
CloudFlare has since fixed the vulnerabilities, but is still in breach recovery mode. Users of this service or users of any of the sites listed at www.GitHub.com/pirate/sites-using-cloudflare should reset all passwords just in case you shared this account password with another. Always monitor account activity for any strange occurrences.
F1 Solutions has done a review of our client’s sites that are known to us. We have already reached out or change the passwords for those clients affected. However, we still recommend that you change passwords if you even suspect that you could have been a part of this.