If you haven’t already, you’ll hear in the news at some point in the coming days that Cloudflare found a bug that was leaking data. Massive numbers will be thrown about and people who enjoy drama will urge you to panic.
If you’re interested in the complete technical breakdown (including code samples), read this: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
The bug existed for 4 days and so far they have only found about 161 domains (about 770 specific URLs) who’s content was found in search engine caches. Every site that was impacted has been notified. Crit.tv uses Cloudflare and has not been notified of any impact.
The circumstances for the CloudFlare leak are very specific:
- The page had to end with an open script or image tag
- CloudFlare user had to have Email Obfuscation or Automatic HTTPS rewrite AND Server-Side Excludes which only fire if the end user’s IP has a poor reputation.
To simplify it: only visitors whose IP have a poor reputation would trigger the bug and then only if the page they were visiting had an open script or image tag.
As Crit.tv runs on well-developed platforms, I haven’t been able to locate any pages that end in open script or image tags.
- Use different passwords for each site
- Rotate your passwords regularly (once or twice a year)
- Use strong, randomly generated passwords
- When available, use two-factor authentication