About recent CloudFlare vulnerability

Today we would like to tell you about a security breach that happened recently. Cloudflare revealed a serious bug in its software that caused sensitive data like passwords, cookies, authentication tokens to leak from its customers’ websites, TechCrunch reports.

For those of you who are not familiar with CloudFlare, it's a company that provides a content delivery network, Internet security services, and distributed domain name server services, sitting between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites.

So what's the problem?
Basically, this security vulnerability allowed anyone to gain personal data that is usually encrypted and it impacted millions of websites (it's now fixed).

The bug occurred in an HTML parser that Cloudflare uses to increase website performance — it preps sites for distribution in Google’s publishing platform AMP and upgrades HTTP links to HTTPS. Three of Cloudflare’s features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) were not properly implemented with the parser, causing random chunks of data to become exposed.

-TechCrunch

Is Adguard affected?
CloudFlare told us that: "Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found".
So your emails and passwords you use for Adguard account shall be safe. But anyways we would highly recommend that you change account password as a precaution!

UPD:
CloufFlare shared the following:

The summary is that, while the bug was very bad and had the potential to be much worse, based on our analysis so far:

  1. We have found no evidence based on our logs that the bug was maliciously exploited before it was patched;
  2. The vast majority of Cloudflare customers had no data leaked;
  3. After a review of tens of thousands of pages of leaked data from search engine caches, we have found a large number of instances of leaked internal Cloudflare headers and customer cookies, but we have not found any instances of passwords, credit card numbers, or health records; and
  4. Our review is ongoing.

Daria Magdik

Wonder Woman of Adguard family. Daria has impressive multitasking skills, knows secrets of a perfect pitch at international festivals and is always happy to remind you why exactly Adguard is the best!

Subscribe to Adguard Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!