Fiverr Forum

Massive CloudFlare breach may have leaked passwords, Fiverr may have been affected


#1

CHANGE YOUR PASSWORDS

Just so everyone is aware, CloudFlare has had a relatively massive breach. CloudFlare is a service that helps to distribute server load and uses https, a usually secure method of internet communication.

Apparently, since September of 2016, some https communications have been leaking from the service, approximately .00003% of them. This includes password submissions, API data, the lot.

So, change your passwords, and for you web folks, update your APIs and tell your clients to do the same. There are literally thousands of sites affected, some are listed here: https://github.com/pirate/sites-using-cloudflare

Notable sites affected include:

Mod Note: Title changed due to unsupported claims. If you wish to change your Fiverr password as a precaution then it is suggested that you do so but there does not seem to be a need to do so at this time.


#2

This is why people should not connect third party crap into their own secure systems. Just because it’s the internet does not mean that everything should be connected to everything else. Think about what would happen if an electrician did the same thing.

I’ll check on that while I’m not logged in.

As a reminder, please people do not reply to this to tell everyone which of the affected sites you have accounts on. (I had to say it, I have seen people do it before. Many times.)


#3

The thing is, CloudFlare is (or used) to be a very effective solution for sites that needed additional security and load balancing. The fact that it is free to use in certain capacity makes it easy for people with busy sites to speed things up. APIs make it really easy to integrate services with your own web apps, and can be very useful. For example I can link weather data with a housing association site to let their visitors know what the weather in the area is like.

So while I do disagree with you to a point, I do agree that needless connectivity can be dangerous. If Fiverr had built and maintained their own international servers to handle load balancing, this wouldn’t be an issue. But that’s probably not as cost effective for them. In general I feel like web inter-connectivity can be great, but it’s not smart to use a 3rd party solution you have not vetted or do not actually need.


#4

A friendly reminder as I just happened to change my password… :wink:

If you want to change your password, or in case fiverr might force a password change, you will be asked for the answer to your security question, so it might be a good idea to (try to) remember your security question already or where you wrote it down, in case it´s something not even guessable to yourself ; )

I´m not sure what happens if you initiate a password change and then don´t know your security question, if it will just default to your old/current password or if you will be stuck between a rock and a hard place, but might be better to not risk to find out with an impending deadline to keep.


Oh and since this is in conversations, as to a google security person, ‘the lot’ includes: “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, [encryption] keys, data, everything.”

Must be fun, such data leakages, if you happen to be someone who can be finding stuff. :wink:


#5

Fiverr no longer uses CLOUDFLARE.

They are on AWS.

So stop trying to create a mass hysteria, if this affected Fiverr, a notice would have been sent automatically.

I would strongly advise you to change your THREAD TITLE.


#6

Since when? I think it´s not too long ago that I was directed to Cloudflare CS by fiverr CS because it didn´t allow me to change my profile pic. And the articles say the leakage already occurred from September 2016, when I wasn´t even on fiverr yet.

Regarding the notice, don´t think so from the articles I read about Cloudbleed. From the articles, changing the password may or may not be needed because of that too, I guess people should read a bit more and decide for themselves if they want to or not.

No reason for mass hysteria either way, so far you´re right, just your usual leakage going on.

edited just for the records: I looked through my mail, and my interaction with fiverr and cloudflare CS because of the failed profile picture change was on January 10/11.


#7

This is not an official response, just some relevant info I copy and pasted from a longer post on the Cloudflare blog.

Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.
The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

My understanding of the longer post is not that there was “a password leak” but that data was leaked that could potentially have contained passwords. Also, only 0.00003% of requests (from all the sites that Cloudflare works with) POTENTIALLY had the problem. Finally, if Fiverr does not use Cloudflare any more and the greatest period of impact was Feb 13-18 then it is unlikely that Fiverr was affected.

With all the above in mind, I won’t be changing my passwords as the risk appears to be minuscule but if you think you should then do.


#8

Yes, it was random “uninitialized memory” data. It could have leaked data that would allow access to passwords and internal systems though (someone said including Cloudflare API keys). Problem is that Cloudflare is connected to a huge portion of the internet (well probably not as big as Akamai but still quite large) and yes it was a small number of requests but that still adds up because it was a page rewrite issue (so every served page on affected sites had the problem). It could have just as easily been three words from someone’s comment about smelly armpits.

There’s also the problem that the leaked memory data could have appeared somewhere else, if I understand it correctly. So there’s no real way to find out who saw what from which sites, because it was just random crud.

Basically, depending on what was running through Cloudflare it could have been worse than an individual’s passwords.

The biggest problem is not even that the data was leaked, but how it was found. The data was found because it was being indexed by search engines.

And then there’s the fact that they will not fix it. They fixed the symptom but not the cause, and it’s concerning that people don’t seem to notice. The cause being there shouldn’t be uninitialized memory that the program has access to. Basically, they didn’t bother the clear the memory like they should. And still aren’t.

It was a combo of three of their services that caused it under certain circumstances, and basically their ‘initial mitigation’ was to turn one of them off. Wow, I could have figured that out. “It’s not working right! Turn it off!”

It could have been a leak of anything, or nothing. Who knows? They specifically worked with the search engines to purge the data, so we can’t see it anymore, but I can guarantee you somebody somewhere found something interesting. And will use it in the future.

The risk is very small, but it is a reminder that it’s best to change passwords randomly, and not use the same ones for multiple sites/services. And that blindly trusting the little green lock icon is trust misplaced.

And because I forgot the forums don’t like me to reply individually anymore, this is to @bolharr2250:

If it’s easy to use, it’s easy to screw up, or attack. With Cloudflare in particular, how was it ever secure to intermingle people’s secure data? Most load balancing could be eliminated if people would just quit filling code with massive chucks of nothing, like loops instead of direct access (as a simple example). And with free, you get what you pay for. APIs are one of the most misused ideas on the internet.

Yes, but there’s no reason to do that via an API.

That’s true too, but how would someone vet something like Cloudflare? It’s not like people could hire a bunch of experts and say “give me access to your internal systems so I can review them.” Well, you could, if you had the money, but I think I know what the answer to the access request would be.


#9

Unless the automatic notices were the compromised system.:grin:

Great. Because Amazon is so secure. :worried:

It wouldn’t be a bad idea to change the title. On the other hand, people need to stop pretending that this stuff doesn’t matter too.


#10

Fiverr is using the Amazon CDN, right?


#11

What is Cloudfare and why should it affect fiverr?


#12

Dear Miss Crystal:

Cloudfare is a cloud based resource for storing massive quantities of data that could affect Fiverr IF, for example, Fiverr data was stored on Cloudflare and was unintentionally posted in such a way that unauthorized persons were able to access the data, which could include user log-ins and passwords.

The general gist of this conversation seems to be that Fiverr MIGHT NOT be affected.

Analogy: someone sneezes at the buffet at the Chinese restaurant.

If you ate that Chinese restaurant around that time, you could get sick.

If you were at the pizza buffet and nobody sneezed, you’re probably okay.

So, we hope that we were having pizza that day (Amazon) and not Chinese (Cloudflare), but quite frankly, with all our Fiverr money, we all eat out at so many fine buffets so often, who really knows?

Good luck,
Blaise