Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. bugs.chromium.org/p/project-zero
Tweet
Conversation
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="48" height="48"><rect fill-opacity="0"/></svg>)
Bloodrain would let you do a metal t-shirt line
2
the tweet says 1password...
1
3
Show replies
Uh read the log.
1
13
Show replies
Replying to
So it just took a single ">" rather than a "=" to leak loads of HTTPS data. OMG.
5
25
Replying to
this prolly explains why I saw CloudFlare's nginx.conf memleaked inside the content on a cached site by Google..
7
48
Replying to
their post-mortem indicates this would've been exploitable only 4 days prior to your initial contact. Is that info invalid?
1
3
Yes, they worded it confusingly. It was exploitable for months, we have the cached data.
2
39
62
Show replies
everyone that got paged and is working tonight deserves one too cc
1
2
Nothing to worry about here. I got your back:
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="900" height="338"><rect fill-opacity="0"/></svg>)
3
27
94
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="56" height="48"><rect fill-opacity="0"/></svg>)
Replying to
you and the other project zero guys are so disgustingly good at everything it hurts
1
36
"of course I have imposter syndrome. I'm a scrub!" "Why do ya say that?" "You don't follow Tavis on twitter, do you?"
1
6
This Tweet is from a suspended account. Learn more
Replying to
I can hear corp customers "but nobody was looking, so we're safe" like they did with Heartbleed. Massive bug, great find
Replying to
Did you actually find plaintext passwords? My understanding was that they encrypt passwords E2E & decrypt in-browser
1
7
No 1Password data was ever at risk - we add a layer of encryption above SSL/TLS, read here:
2
36
48
Show replies
Tavis’s bug doesn’t mention you by name. He couldn’t realistically notify every customer of Cloudflare.
2
1
10
Show replies
Yes, we recovered and purged cached 1Password api data.
5
11
20
1
4
Show replies
Is it possible I wonder to get a list of impacted websites? So I can see what passwords I need to change...
1
1
1
wasn't in response to you tight ass
14
we use a session-specific encryption key to lock down the data in transport, so we aren’t dependent on SSL/TLS
3
Quote Tweet
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24"><rect fill-opacity="0"/></svg>)
Janine
@J9Roem
·
Replying to @J9Roem
List being built by @thesquashSH #cloudbleed github.com/pirate/sites-u
1
2
Replying to
I made a list of potentially affected domains:
5
11
We do use CloudFlare, and it is indeed true we are secure against these vulnerabilities!
1
I hope everyone who dogpiled him for "attention whoring" at the time feels real silly :D
1
Replying to
This answer, as a password manager app user, really makes me wonder :-(
@dxgl_info
1
1
Replying to
Is it possible that server private HTTPS keys were leaked in the uninitialized data? Will do a SSL key flush / replace?
1
1
We don't think so, just the contents of HTTPS sessions.
2
This Tweet is from a suspended account. Learn more
1
New to Twitter?
Sign up now to get your own personalized timeline!
Trending now
What’s happening
News
Yesterday
フィンランド・スウェーデンのNATO加盟手続き開始へ
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="120" height="80"><rect fill-opacity="0"/></svg>)
World news
LIVE
ロシアによるウクライナへの侵攻状況
cnn_co_jp
Last night
ケタンジ・ブラウン・ジャクソン氏、黒人女性初の米最高裁判事に就任
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="240" height="135"><rect fill-opacity="0"/></svg>)