A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to potentially expose private session keys and other sensitive data.

CloudFlare, a content delivery network (CDN) and web security provider that helps optimize safety and performance of over 5.5 Million websites on the Internet, is warning its customers of the critical bug that may have exposed a range of sensitive information, including passwords, and cookies and tokens used to authenticate users.

Dubbed Cloudbleed, the nasty flaw is named after the Heartbleed bug that was discovered in 2014, but believed to be worse than Heartbleed.

The vulnerability is so severe that it not only affects websites on the CloudFlare network but affects mobile apps as well.

What is Cloudbleed?


Discovered by Google Project Zero security researcher Tavis Ormandy over a week ago, Cloudbleed is a major flaw in the Cloudflare Internet infrastructure service that causes the leakage of private session keys and other sensitive information across websites hosted behind Cloudflare.

CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.

Almost a week ago, Ormandy discovered a buffer overflow issue with Cloudflare's edge servers that were running past the end of a buffer and were returning memory containing private data like HTTP cookies, authentication tokens, and HTTP POST bodies, with some of the leaked data already cached by search engines.

Cloudflare's "ScrapeShield" feature parses and obfuscates HTML, but since reverse proxies are shared among customers, it would affect all CloudFlare customers.
 
Cloudflare has since patched the issue.

How Does Cloudbleed Affect You?


There are a large number of Cloudflare's services and websites that use parsing HTML pages and modify them through the Cloudflare's edge servers.

Even if you do not use CloudFlare directly, that does not mean that you are spared. There is always a chance that websites you visit and web services you use may have been affected, leaking your data as well.

Of course, if you are using Cloudflare services in front of your site, the flaw could impact you, exposing sensitive information that flowed between your servers and end-users through CloudFlare's proxies.

While CloudFlare's service was rapidly patched the bug and has said the actual impact is relatively minor, data was leaking constantly before this — for months.

Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.


Some of the Cloudflare's major customers affected by the vulnerability included Uber, 1Password, FitBit, and OKCupid. However, in a blog post published by 1Password, the company assured its users that no sensitive data was exposed because the service was encrypted in transit.

However, a list of websites that have potentially been impacted by this bug has been published by a user, who go by the name of 'pirate,' on GitHub, which also included CoinBase, 4Chan, BitPay, DigitalOcean, Medium, ProductHunt, Transferwise, The Pirate Bay, Extra Torrent, BitDefender, Pastebin, Zoho, Feedly, Ashley Madison, Bleeping Computer, The Register, and many more.

Since CloudFlare does not yet provide the list of affected services, bear in mind that this is not a comprehensive list.

What should You do about the Cloudbleed bug?


Online users are strongly recommended to reset their passwords for all accounts in case you have reused the same passwords on every site, as well as monitor account activity closely as cleanup is underway.

Moreover, customers who are using Cloudflare for their websites are advised to force a password change for all of their users.

 

The vulnerability allows remote unauthorized hackers to modify the content of any post or page within a WordPress site.

The nasty bug resides in WordPress REST API that would lead to the creation of two new vulnerabilities: Remote privilege escalation and Content injection bugs.

WordPress is the world’s most popular content management system (CMS) used on millions of websites. The CMS recently added and enabled REST API by default on WordPress 4.7.0.

Flaw lets Unauthorised Hacker Redirect Visitors to Malicious Exploits

The vulnerability is easy to exploit and affects versions 4.7 and 4.7.1 of the WordPress content management system (CMS), allowing an unauthenticated attacker to modify all pages on unpatched sites and redirect visitors to malicious exploits and a large number of attacks.

The vulnerability was discovered and reported by Marc-Alexandre Montpas from Sucuri to the WordPress security team who handled the matter very well by releasing a patch, but not disclosing details about the flaw in an effort to keep hackers away from exploiting the bug before millions of websites implement the patch.

IF YOU ARE USING WORDPRESS VERSIONS 4.7 or 4.7.1 You should upgrade immediately! Need help? Get in touch.

1 billion Yahoo accounts Hacked

The company disclosed that it has discovered a breach of more than one billion user accounts that occurred in August 2013. The breach is believed to be separate and distinct from the theft of data from 500 million accounts that Yahoo reported this September.

One the of UK's biggest mobile operators, Three mobile , has become the latest victim of a massive data breach that reportedly left the personal information and contact details of 6 Million of its customers exposed.

The company admitted the data breach, saying that computer hackers gained access to a Three Mobile customer phone upgrade database containing the account details of nearly 6 Million customers.

According to multiple British media reports citing both Three and the National Crime Agency (NCA), the computer hackers used an employee login to gain entry into its database.
 
The stolen data includes customer names, addresses, phone numbers and dates of birth, which is then used to carry out mobile phone fraud.

The company has not yet confirmed the total number of users' affected by the breach, though it assured its customers that no payment data, including bank account numbers and card numbers, has been accessed.

According to Three, the hackers had stolen the database to use the stolen personal details to find customers eligible for handset upgrade, placing orders for the new phones, intercepting the parcels as they arrived, and then reselling them for a profit.

To date, Three has confirmed around 400 cases in which fraudsters had stolen high-value handsets through burglaries and 8 devices have already been illegally obtained through the upgrade activity.

 

Hackers have obtained credentials for more than 68 Million accounts for online cloud storage platform Dropbox from a known 2012 data breach.

Dropbox has confirmed the breach and already notified its customers of a potential forced password resets, though the initial announcement failed to specify the exact number of affected users.

However, in a selection of files obtained through sources in the database trading community and breach notification service Leakbase, Motherboard found around 5GB of files containing details on 68,680,741 accounts, which includes email addresses and hashed (and salted) passwords for Dropbox users.

An unnamed Dropbox employee verified the legitimacy of the data.

Out of 68 Million, almost 32 Million passwords are secured using the strong hashing function "BCrypt," making difficult for hackers to obtain users' actual passwords, while the rest of the passwords are hashed with the SHA-1 hashing algorithm.

These password hashes also believed to have used a Salt – a random string added to the hashing process to further strengthen passwords in order to make it more difficult for hackers to crack them.

    "We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Patrick Heim, Head of Trust and Security for Dropbox.

    "We initiated this reset as a precautionary measure so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."

Dropbox initially disclosed the data breach in 2012, notifying users that one of its employee passwords was acquired and used to access a file with users’ email addresses, but the company didn't disclose that the hackers were able to pilfer passwords too.

But earlier this week, Dropbox sent out emails alerting its users that a large chunk of its users’ credentials was obtained in 2012 data breach that may soon be seen on the Dark Web marketplace, prompting them to change their password if they hadn't changed since mid-2012.

    "Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012," the company wrote. "Our analysis suggests that the credentials relate to an incident we disclosed around that time."

Dropbox is the latest to join the list of "Mega-Breaches," that revealed this summer, when hundreds of Millions of online credentials from years-old data breaches on popular social network sites, including LinkedIn, MySpace, VK.com and Tumblr, were sold on Dark Web.


Change your passwords for Dropbox as well as other online accounts immediately, especially if you use the same password for multiple websites.

Page 2 of 3