Corporate Partners

CloudFlare boss’s Gmail hacked in redirect attack on 4Chan

CloudFlare says only one customer affected; hackers say many more are and details will be sold.

Content distribution network CloudFlare reset all its customer API keys over the weekend after its CEO’s personal and corporate Gmail was breached in an “elaborate” attack on one customer, which appears to have been the 4Chan message board.

According to CloudFlare CEO Matthew Prince, "a hacker" last Friday exploited a “subtle flaw” in Google App’s Gmail password recovery process, allowing them to break into his personal account, breach his CloudFlare.com Gmail address, bypass Gmail’s two-factor authentication (TFA), and redirect one customer’s website.

UGNazi, the hacker group that claimed credit for the huge breach at billing software provider WHMCS, has also laid claim to the attack on CloudFlare, according to a report by Softpedia.

Prince said on Saturday Google confirmed there was a “subtle flaw affecting not 2-step verification itself, but the account recovery flow for some accounts.” Google said it had now blocked that attack vector.

Prince did not use Gmail’s TFA for his personal account, however, the company did for all its CloudFlare.com Gmail accounts. Prior to Google’s confirmation, Prince was alarmed that TFA didn’t prevent CloudFlare.com’s accounts becoming compromised since it “should have prevented this attack, even if the attacker had the password.”

It’s unclear from Prince's explanation how the attacker "somehow convinced Google's account recovery systems to add a fraudulent recovery email address to my personal Gmail account", however once it was compromised he said the attacker was able to use the password recovery feature for his CloudFlare.com Gmail account to access his corporate email.

Prince said that no customer credit card details were exposed since those details never pass through its servers but go straight to a billing provider, and that “it appears” the attacker had not accessed its core database or seen additional client data.

However, a claim was made on the Twitter account of UGNazi member Cosmo that UGNazi had "gained full access into Cloudflare's server and obtained the database", in a post flagging that 4Chan was redirected to the UGNazi Twitter account.

Cosmo also told Softpedia that UGNazi did access CloudFlare's main server, could see all customer account information, including names, payment methods, user IDs, and had access to reset any account on CloudFlare. The hackers said they planned on selling the information on Darkode.

Cosmo also said Prince's explanation that the attacker "convinced" Google's account recovery, was bogus, adding that there was "no way you could social engineer a Google App."

On Saturday Prince said CloudFlare found that some customer API keys were present in the “email accounts that were compromised”, which was why it reset all API keys for things such as CloudFlare WordPress plugin.

“In order to ensure they could not be used as an attack vector, we reset all customer API keys and disabled the process that would previously email them in certain cases to CloudFlare administrator accounts,” said Prince.

Despite the “troubling” realisation that Gmail’s two-factor authentication failed to prevent the attack when it should have, Prince urged others to use it and said he has since turned the feature on for his personal account.

Also, even though the password reset process was used to compromise Prince’s 20+ character, unique and randomised password, he encouraged others to use an “extremely strong” password for email and to “change any password recovery email to an account that you do not use for anything else and cannot easily be guessed by a determined hacker.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about etworkGoogle

3 Comments

Scott Goldman

1

Anyone, particularly those in public view, that doesn’t secure their email accounts and other web logins with a two-factor authentication method risks an intrusion by hackers with a first-grade education.

Two-factor authentication (known in the industry as “2FA”) involves something you know – such as your password – and something you have – such as a “token” or specific piece of information, to secure access to your account. The most popular variety is the largely-reviled “key fob” style that changes numbers constantly and requires complex installation, carrying an extra device with you all the time and is expensive.

In today’s world that’s nuts. Properly designed 2FA systems would allow Mr. Romney and others on his team to use their own personal cell phones to secure their logins. A properly designed 2FA system would use the phone’s “fingerprint” – unique to that phone and impervious to cloning or spoofing – to identify that user. If set up that way an intruder would need the ID, password and mobile device all at the same time… a very unlikely scenario seeing as most people have their own phones within arm’s reach constantly.

Ideally the system should be designed so that the verification code is shown in open text on the web page *instead* of a field into which data (the code) can be entered is a better design. The code displayed must then be sent by the mobile that is associated with that account and ONLY if that mobile (not a clone or a spoofed number – neither will work) sends the code is verification completed.

2FA systems aren’t perfect but utilizing the unique device ID of a mobile by reversing the process as described here, combined with a code and a PIN, reduces the likelihood of intrusion to an infinitesimal level. Mr. Romney’s team (along with anyone else who wishes to protect their data, identity, logins or accounts) should seek assurance by using one of these systems immediately.

3pqNRoq516

2

Hello,

I am traveling to your web site as a training for an English class
(my basic tongue is Arabic ), for which
(my class) I should to pay a quick visit and evaluate 8 website pages each day.
(Kindly put up with with my wrecked Phrases as My group is performing at improving!
)

I have to state that initially, picking your
website was quite a coincidence, minimally since I was intrigued by your title
but My group is writing you as you in fact equally encouraged plus baffled me…

I've a bit of a tough moment (maybe this is as of my knowledge of English which is not so equivalent to yours, in which circumstance I am sorry) understanding your 4th point seeing as it looks to me (for a second time, if I'm the person who is mistaking , I express regret) that generally of what is put on the internet goes in contradiction of what you're writing . Even you seem to be saying the opposed exactly 7 lines underneath!

I hope you're not irritated with me as I actually think ALL the rest of your content is magnificent! You in truth are a able author.

So far as your internet blog itself is concerned, I quite enjoy how uncomplicated you organised your navigation and how effortlessly your informations is read (selection of colours for wording and background, dimension of lettering …) I enjoy the way you write, which I could portray as being specific, undivided still not utilizing many terms (I think the word is concise?).

I have saved your web blog and will come back quickly to glimpse what new stuff you generated .

Zhi peng.

PS unless you compose to me not to, I will reveal as regards your page with my Twitter contacts and on my website (which is on analogous subjects as yours yet rather then being in English, it is in Arabic )

3pqNRoq516

3

Hello,

I am traveling to your web site as a training for an English class (my basic tongue is Arabic ), for which (my class) I should to pay a quick visit and evaluate 8 website pages each day.
(Kindly put up with with my wrecked Phrases as My group is performing at improving!
)

I have to state that initially, picking your website was
quite a coincidence, minimally since I was intrigued by your title
but My group is writing you as you in fact equally encouraged plus baffled me…

I've a bit of a tough moment (maybe this is as of my knowledge of English which is not so equivalent to yours, in which circumstance I am sorry) understanding your 4th point seeing as it looks to me (for a second time, if I'm the person who is mistaking , I express regret) that generally of what is put on the internet goes in contradiction of what you're writing . Even you seem to be saying the opposed exactly 7 lines underneath!

I hope you're not irritated with me as I actually think ALL the rest of your content is magnificent! You in truth are a able author.

So far as your internet blog itself is concerned, I quite enjoy how uncomplicated you organised your navigation and how effortlessly your informations is read (selection of colours for wording and background, dimension of lettering …) I enjoy the way you write, which I could portray as being specific, undivided still not utilizing many terms (I think the word is concise?).

I have saved your web blog and will come back quickly to glimpse what new stuff you generated .

Zhi peng.

PS unless you compose to me not to, I will reveal as regards your page with my Twitter contacts and on my website (which is on analogous subjects as yours yet rather then being in English, it is in Arabic )

Comments are now closed

Market Place