• Sky
  • Blueberry
  • Slate
  • Blackcurrant
  • Watermelon
  • Strawberry
  • Orange
  • Banana
  • Apple
  • Emerald
  • Chocolate
  • Charcoal
Sign in to follow this  
Followers 0

Cloudflare Parser Bug - Security Leak

[General Notice] 


"Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months."


Yesterday an incident report was published by Cloudflare to explain a security breach that resulted in a small proportion of data being leaked across a high number of domains (up to 4,287,625) utilising aspects of their software. As such, it is recommended that at a minimum you change passwords associated with affected sites and any reoccurring passwords between sites. You should change passwords for any key email accounts and activate 2-factor authentification where possible. 


In this instance, ImpsVillage.com was not affected. 


Some of those affected sites running Cloudflare include:








The full list can be found here:



Key extracts from Cloudflare's report:



The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).




Detailed Timeline

We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it.

All times are UTC.

2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information 
2017-02-18 0032 Cloudflare receives details of bug from Google 
2017-02-18 0040 Cross functional team assembles in San Francisco 
2017-02-18 0119 Email Obfuscation disabled worldwide 
2017-02-18 0122 London team joins 
2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide 
2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide

2017-02-20 2159 SAFE_CHAR fix deployed globally

2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide




1 person likes this

Share this post

Link to post
Share on other sites
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.