EdOverflow commented 7 years ago

On January 24, 2017, Tavis Ormandy, a security researcher at Google, disclosed a memory leakage vulnerability in Cloudflare. https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

This issue is to thoroughly investigate how this security vulnerability affects Gratipay.

Summary

As explained in Tavis' report and by the Cloudflare team here, some of Cloudflare's services rely on parsing and modifying HTML pages. These services sometimes leaked memory containing private information and was being cached by search engines.

A simple Google Dork such as {"scheme":"http"} CF-Host-Origin-IP could reveal leaked data.

Investigation

Gratipay will assume that any password, private key and anything that is transferred over Cloudflare as compromised and will take the necessary precautions to remediate the issue.

Gratipay took the following steps during the investigation:

1) Ensure none of our services use Cloudflare (using tests such as curl -s -D - example.com -o /dev/null >&1 | grep Server and http://www.doesitusecloudflare.com). 2) Ensure that no services used by Gratipay are listed in https://github.com/pirate/sites-using-cloudflare. 3) Use search engines to find possible leaks.

Does Gratipay use Cloudflare?

Although I have suggested we use Cloudflare (https://github.com/gratipay/inside.gratipay.com/issues/957) in the past, Gratipay does not currently use Cloudflare.

Service	Use Cloudflare?	Listed in "Sites using Cloudflare?"	Any results on search engines?
gratipay.com	NO	NO	NO
assets.gratipay.com	NO	NO	NO
downloads.gratipay.com	NO	NO	NO
grtp.co	NO	NO	NO

Are any services used by Gratipay affected?

Gratipay uses 6 OAuth providers, which we believe are not affected by this incident.

Service	Use Cloudflare?	Listed in "Sites using Cloudflare?"	Any results on search engines?
Twitter	NO	NO	NO
GitHub	NO	NO	NO
Facebook	NO	NO	NO
Google	NO	NO	NO
Bitbucket	NO	NO	NO
OpenStreetMap	NO	NO	NO

These are other services Gratipay uses:

Service	Use Cloudflare?	Listed in "Sites using Cloudflare?"	Any results on search engines?
report-uri.io	NO (cdnjs.cloudflare.com)	NO	NO
Paramount	-	-	-
Heroku	NO	NO	NO
Freshdesk	NO	NO	NO
iWantMyName	NO	NO	NO
Transifex	NO	NO	NO
MaxCDN	NO	NO	NO
DigitalOcean	YES :warning:	YES :warning:	YES :warning:
StartSSL	NO	NO	NO
Typography.com	NO	NO	NO
Papertrail	NO	NO	NO
Librato	NO	NO	NO
LastPass	NO	NO	NO
DNSimple	NO	NO	NO
GSuite	NO	NO	NO
PagerDuty	YES :warning:	NO	NO
Sentry	NO	NO	NO
Travis CI	NO	NO	NO
Balsamiq	NO	NO	NO
Uptime Robot	NO	NO	NO
SlackArchive.io	NO	NO	NO
Slack	NO	NO	NO
Amazon Web Services	NO	NO	NO
Read the Docs	NO	NO	NO
Icomoon	NO	NO	NO

What were the possible exploits?

Gratipay uses PagerDuty to monitor gratipay.com and DigitalOcean hosts grtp.co and https://github.com/gratipay/bot.

All issues appear to only affect the Gratipay team. The only case where this could have affected Gratipay users were if an attacker had access to our DigitalOcean account they could have poisoned our widgets. We are confident that this never happened.

Conclusion

This investigation reveals that Gratipay's users are not directly affected by this incident. Nevertheless, we strongly advise our users to change any passwords for websites using Cloudflare.

We would like to thank Tavis Ormandy and the team at Cloudflare for how they dealt with this issue.