Hacker News new | ask | show | jobs
by slipmagic 3400 days ago
I would be pretty mad if a website that I was supposed to trust with my data made an untrue statement about how something was taken care of, when it was not, and then publish details of the bug while cache it still out in the wild, and now exploitable by any hacker who was living under a rock during the past few months.
1 comments
nodesocket 3400 days ago
Actually I proxy two of my profitable startup frontend sites with CloudFlare, so I am affected (not really), but giving them the benefit of the doubt as they run a great service and these things happen.
link
phaed 3400 days ago
They are well past deserving the benefit of the doubt.

I would also advise you notify your cloud-based services' customers how they might be affected (yes really), trust erosion tends to be contagious.

link
josephb 3400 days ago
Agreed. The condescending downplaying tones displayed just aren't acceptable.
link
nodesocket 3400 days ago
We only host our static corporate sites (not apps) and furthermore never used CF email obfuscation, server-side excludes or automatic https rewrites thus not vulnerable.
link
potatosareok 3400 days ago
Hi,

I think you have misunderstood the issue. Just because YOU did not use those services does not mean your data was not leaked. It means that other peoples data was not leaked on YOUR site, but YOUR data could be leaked on other sites that were using these services.

link
sillysaurus3 3400 days ago
We only host our static corporate sites (not apps)

If this part is true, they're not vulnerable. Only data that was sent to CloudFlare's nginx proxy could have leaked, so if they only proxy their static content, then that's the only content that would leak.

The rest of their comment gives the wrong impression though, yeah.

link
acqq 3399 days ago
> Only data that was sent to CloudFlare's nginx proxy could have leaked, so if they only proxy their static content, then that's the only content that would leak.

The way it worked, the bug also leaked data sent by the visitors of the these "static sites": IP addresses, cookies, visited pages etc.

link
nodesocket 3400 days ago
Thanks for clarifying. You are absolutely right.
link
tptacek 3400 days ago
So far as I know, nothing like this thing has ever happened at any CDN ever before.
link
rdl 3399 days ago
There have definitely been incidents where CDNs mixed up content (of the same type) between customers. Not exactly like this, but close.
link