Friday, February 24, 2017

Cloudflare security incident statement

Few hours ago Cloudflare informed the world that they discovered a security problem that could result in sensitive data being leaked. You can read it all over the news.

Cloudflare is used by over 4 million websites across the Internet, including Medium, YCombinator, Bitpay, Patreon, TransferWise, Coinbase, Authy, Okcupid, Zendesk, Curse network, Discord, among many other big websites. You can download compressed list of all potentially vulnerable websites here.

RiftCat also uses Cloudflare but we received an e-mail from Cloudflare informing us that they didn't find any of our data leaked:

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. 

The leak isn't RiftCat specific. Any* of the users visiting any of the 4M websites could have seen part of someone's else data in website source. For example, while visiting there was an astronomically small chance of someone's Uber/Fitbit/Okcupid** password being hidden in page source (and the other way around).

Chances of your sensitive data being leaked from the affected sites are very, very small. According to Cloudflare one out of 3 million requests (0.00003%) contained hidden parts of someone's else request[1]. Those hidden parts were probably some sort of generic web traffic because most web traffic is just people browsing pages and not entering their passwords. It was also random and hidden by nature of the problem so it's unlikely that someone could use this as an attack on any of the services listed.

An analogy of this event in real world scenario would be a 0.00003% chance of finding totally random item from someone's else house under your door rug. If you haven't looked under the mat during this unlikely event, it was gone (unless it landed under bot's door rug which is also quite rare)

Most of publicly cached mixed pages are already removed. Cloudflare found 150 page requests publicly available in web caches.

RiftCat data was not found in any of the publicly leaked data. 

Nonetheless you might want to change your passwords around the Internet if you want to minimize your chances of being compromised. It's highly recommended that you don't ever use the same password twice. Stay secure.

*It might be limited to users using Cloudflare scrape shield only but it's not confirmed.
** According to TechCrunch they were confirmed as affected. See [3]

Further reading:


  1. Replies
    1. Probably in few weeks. We are now testing new APIs and we'll be sending previews to some 3rd party devs this week or the next one. We want to get some feedback before releasing it publicly.

  2. I'm sorry... cant handle my own curious... but who are the other 3rd party devs? Nolo is one... but the others??

    1. Finch Shift


      Plus we want to integrate better with PS Moves.

    2. Mmmm... interesting... Good luck!!

  3. I want choose old version(Version of November 2016)
    The latest version could not be used with noise.