• Major security flaw in popular security vendor CloudFlare

  • Zesty.io credentials and encrypted data not affected

  • Websites using Cloudflare WAF may of had lead form transmission vulnerabilities

  • Zesty.io is offering new WAF (web application firewall) vendor Fastly

On February 19th, 2017, Google vulnerability researcher Tavis Ormandy discovered major websites were inadvertently exposing data while working on a side project last week. You can read the full threaded conversation of this discovery on Chromium Bug Forums.

The vulnerability was traced back to Cloudflare, a security software company that provides Transport Layer Security (TLS) certificates (which makes https:// in urls), Web Application Firewall (WAF) services, Content Delivery Network (CDN) for media, and Distributed Denial of Service (DDoS) protection.

In summary, Tavis stumbled upon unencrypted data coming from secure HTTPS websites. The S in HTTPS, stands for Secure because all transmission from that website would be encrypted on transmission, garbling the information so it could not be accessed. What Tavis found was a memory leak of data being inserted into HTTP requests. So information passed in lead form POST bodies may have been leaked randomly.

How does this affect Zesty.io?

Some Zesty.io customers use the CloudFlare WAF, TLD, and DDoS services, but The Zesty.io platform itself does not send traffic through CloudFlare. This means your Zesty.io login and any data sent within our applications is unaffected by this incident.

We take security very seriously at Zesty.io, and will keep you informed with any new developments on the story.

Outside of Zesty.io

There are 4,287,625 million potentially affected domains, and many are part of the top 10,000 most trafficked sites on the internet. We advise you to do research to protect yourself.

Additional News Resources

Update: Suggestions for Customers who use Authy Two Factor Authentication

Authy official comment: “To the best of Cloudflare's knowledge, Authy data was not discovered in any known cache but we are treating as if we are impacted. We are taking steps now, emailing customers with more detail & will publish a blog post soon.”

Customers will be getting an email from Authy, as you may, like some customers, use Authy for multiple service outside of Zesty.io.