5

As some of you may know, a Cloudflare vulnerability has been released yesterday. From what I understood, a lot of websites have been affected because they hosted JS libraries on their CDNs.

Some references:

From this last link you have a "What should I do ?" section :

Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all cloudflare proxy customers were vulnerable to having data leaked, it's better to be safe than sorry.

Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), you should probably change all your important passwords.

Submit PR's to add domains that you know are using cloudflare

Now, regarding Magento specifically:

  • should we change all the Magento passwords ?
  • admin passwords ?
  • frontend passwords too ?
  • email the entire customer database and change the hashes so they use the forgot password feature ?
Improve this question

1 Answer 1

Reset to default
6

Your actions should really depend upon how much, and for what, you used cloudflare.

  • If you only use javascripts libraries hosted on Cloudflare, you should be quite safe. The only 'private' data that could be leaked that way is through Referrer URL's in the HTTP(S) requests. This could mean that your admin URL got leaked, or locations of private tools.

  • If you use Cloudflare to host your static content, it depends. If you host said content on a separate host, and your main domain does not point at Cloudflare, only those requests could have been leaked. These may still contain sensitive information: Incorrectly configured cookies, and URL's, could still be visible. If you have Cloudflare pass through your requests, and only handle the static ones, all information is still being sent through Cloudflare, and can thus be leaked.

  • If your site was hosted through Cloudflare, then all the requests sent to your website, and any data sent by your website could potentially have been leaked. That means users logging in, orders placed, payment information that was submitted, but also API calls, and operations performed by backend users; all could have been leaked. In such a case, I would definitely be resetting all admin passwords, and strongly consider resetting user passwords, or at the least inform users that their information might be leaked. For this, I would point you to your own internal policies, and keep PCI compliancy certifications, merchant agreements, and any applicable laws, in consideration.

Also note, whether or not you used HTTPS does not matter at this point, since HTTPS only protects data in transit. Once the data arrived at Cloudflare, it was decrypted and held in memory while forwarding it to the backend servers.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.