Content distribution network CloudFlare reset all its customer API keys over the weekend after its CEO’s personal and corporate Gmail was breached in an “elaborate” attack on one customer, which appears to have been the 4Chan message board.
According to CloudFlare CEO Matthew Prince, "a hacker" last Friday exploited a “subtle flaw” in Google App’s Gmail password recovery process, allowing them to break into his personal account, breach his CloudFlare.com Gmail address, bypass Gmail’s two-factor authentication (TFA), and redirect one customer’s website.
Prince said on Saturday Google confirmed there was a “subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts.” Google said it had now blocked that attack vector.
Prince did not use Gmail’s TFA for his personal account, however, the company did for all its CloudFlare.com Gmail accounts. Prior to Google’s confirmation, Prince was alarmed that TFA didn’t prevent CloudFlare.com’s accounts becoming compromised since it “should have prevented this attack, even if the attacker had the password.”
It’s unclear from Prince's explanation how the attacker "somehow convinced Google's account recovery systems to add a fraudulent recovery email address to my personal Gmail account", however once it was compromised he said the attacker was able to use the password recovery feature for his CloudFlare.com Gmail account to access his corporate email.
Prince said that no customer credit card details were exposed since those details never pass through its servers but go straight to a billing provider, and that “it appears” the attacker had not accessed its core database or seen additional client data.
However, a claim was made on the Twitter account of UGNazi member Cosmo that UGNazi had "gained full access into Cloudflare's server and obtained the database", in a post flagging that 4Chan was redirected to the UGNazi Twitter account.
Cosmo also told Softpedia that UGNazi did access CloudFlare's main server, could see all customer account information, including names, payment methods, user IDs, and had access to reset any account on CloudFlare. The hackers said they planned on selling the information on Darkode.
Cosmo also said Prince's explanation that the attacker "convinced" Google's account recovery, was bogus, adding that there was "no way you could social engineer a Google App."
On Saturday Prince said CloudFlare found that some customer API keys were present in the “email accounts that were compromised”, which was why it reset all API keys for things such as CloudFlare WordPress plugin.
“In order to ensure they could not be used as an attack vector, we reset all customer API keys and disabled the process that would previously email them in certain cases to CloudFlare administrator accounts,” said Prince.
Despite the “troubling” realisation that Gmail’s two-factor authentication failed to prevent the attack when it should have, Prince urged others to use it and said he has since turned the feature on for his personal account.
Also, even though the password reset process was used to compromise Prince’s 20+ character, unique and randomised password, he encouraged others to use an “extremely strong” password for email and to “change any password recovery email to an account that you do not use for anything else and cannot easily be guessed by a determined hacker.”