The "Cloudbleed" issue: keeping you safe
-
@gaelle: Thanks for help
-
@adam-jablonski2 said:
After using the “Recover password” link I received a message: "Password recovery information has been sent to the email registered with the account adam.jablonski.". But that's the email I have no access to, because of “Cloudbleed”! As you see, I created new account to get in touch with you. HELP!
Is there anybody able to help me?
-
@adam.jablonski2 Obviously, you should enter a different email address to send the recovery information. Probably the one that you used to setup the vivaldi email account.
-
I lost my vivaldi acc because of this, help me! BTW, don't email the email on this acc. Its the Vivaldi one
-
@dleon: That's what I did a few hours ago. Still waiting for a reply.
-
@pesala: Indeed, I completely forgot about my (now almost unused) hotmail account - password recovery information ended up in there. Thank you so much!
-
@quinca71: Oh, absolutely. So do you.
-
@yngve: BleepingComputer's article says that the three options I mentioned had to be enabled for the issue to effect a domain protected by Cloudflare, and I don't know any security experts who are saying that you could find information from one domain in HTTP headers for another domain protected by Cloudflare. I'll have to take some time to go over the vulnerability report, the data made public by Cloudflare, and analysis of that data by other security experts to validate whether or not that is the case.
-
@yngve: So far the only things I am seeing that suggest that data from one domain could end up in the HTTP headers for a page at another domain is the following:
A statement in the Cloudflare report that said "Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site."
Google's Tavis Ormandy said "because reverse proxies are shared between customers, it would affect all Cloudflare customers" in his original report on his discovery.
The second statement could simply be the researcher saying that every website using Cloudflare could be vulnerable to this, and may not mean that he was seeing data from one domain in headers from pages at another domain. There is nothing else in his vulnerability report that indicates that he was seeing information from one domain in headers for pages at another domain, and his screenshots appear to only show information from single domains and not multiple domains.
As for the first statement, it does clearly say "an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site." Note it says could, and as opposed to did. That's not to say it didn't happen (obviously it could happen), but at the same time no one is clearly saying that it did happen.
I'll continue reading to see if anyone has data showing that such a thing actually happened. Obviously in the absence of any real evidence it is safer to just assume the worst.
-
Thank you Team Vivaldi for preserving i_ri' account.
Thank You Gaelle for your recent solution has i_ri signed-in. -