Cloudflare bug leaked sensitive data

not sure how much this effects the OEM site. Or individual users that utilize Cloudflare…

1 Like

I told the Admins about that yesterday. Cloudflare have confirmed OEM is not affected. Glyn has all the details.

1 Like

on the topic of security --that is generally why i keep my data stored locally. to rely on multiple centralized server to maintain security for everyone just reduces over all security for everyone as you become an easier larger and larger group target…

Hi guys, thanks for letting us know. I’ve had an email from CloudFlare a few days ago letting me know that none of our domains have been affected by the leak. The email said:

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

The Cloudflare features that used the affected HTML parser (email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites) have never been in use on our sites.

Very interesting reading amazingly detailed incident report from CF. It seems it was all down to a little pointer error due to using == instead of >=

While serious, only 1 in every 3 million requests got leaked so it would be very unlikely that user credentials would have been compromised. However, as always if in doubt no harm in changing passwords as a precaution.

Since none of our domains have been affected by the leak, I don’t think it’s necessary to force all users to reset passwords.