This repository has been archived by the owner on Feb 8, 2018. It is now read-only.
React to Cloudbleed #4351
Labels
Comments
|
What about third-party services that we depend on? Most are listed here. We should probably roll creds for those that are affected. |
chadwhitacre
changed the title
|
Neither Digital Ocean nor PagerDuty are available for automatic password changing. |
|
I've manually changed the password for the Gratipay Digital Ocean account. Additionally, I cleared out the members of the team (cc: @clone1018 @rohitpaulk @techtonik). We can add folks back as necessary. I didn't remove existing keys, because I couldn't think of a way those would be affected.
|
|
Manually changed for both Gratipay and @rohitpaulk (sent to your email) on PagerDuty.
|
|
I think that's it, ya? |
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
On January 24, 2017, Tavis Ormandy, a security researcher at Google, disclosed a memory leakage vulnerability in Cloudflare. https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
This issue is to thoroughly investigate how this security vulnerability affects Gratipay.
Summary
As explained in Tavis' report and by the Cloudflare team here, some of Cloudflare's services rely on parsing and modifying HTML pages. These services sometimes leaked memory containing private information and was being cached by search engines.
A simple Google Dork such as
{"scheme":"http"} CF-Host-Origin-IPcould reveal leaked data.Investigation
Gratipay will assume that any password, private key and anything that is transferred over Cloudflare as compromised and will take the necessary precautions to remediate the issue.
Gratipay took the following steps during the investigation:
curl -s -D - example.com -o /dev/null >&1 | grep Serverand http://www.doesitusecloudflare.com).Does Gratipay use Cloudflare?
Although I have suggested we use Cloudflare (gratipay/inside.gratipay.com#957) in the past, Gratipay does not currently use Cloudflare.
Are any services used by Gratipay affected?
Gratipay uses 6 OAuth providers, which we believe are not affected by this incident.
These are other services Gratipay uses:
What were the possible exploits?
Gratipay uses PagerDuty to monitor gratipay.com and DigitalOcean hosts grtp.co and https://github.com/gratipay/bot.
All issues appear to only affect the Gratipay team. The only case where this could have affected Gratipay users were if an attacker had access to our DigitalOcean account they could have poisoned our widgets. We are confident that this never happened.
Conclusion
This investigation reveals that Gratipay's users are not directly affected by this incident. Nevertheless, we strongly advise our users to change any passwords for websites using Cloudflare.
We would like to thank Tavis Ormandy and the team at Cloudflare for how they dealt with this issue.
The text was updated successfully, but these errors were encountered: