September 2019 – Security

Why big ISPs aren’t happy about Google’s plans for encrypted DNS

September 30, 2019 by Timothy B. Lee

Timothy B. Lee

Enlarge (credit: Thomas Trutschel/Photothek via Getty Images) When you visit a new website, your computer probably submits a request to the domain name system (DNS) to translate the domain name (like arstechnica.com) to an IP address. Currently, most DNS queries are unencrypted, which raises privacy and security concerns. Google and Mozilla…

Not so static… Introducing the HTMLRewriter API Beta to Cloudflare Workers

September 30, 2019 by Rita Kozlov

Rita Kozlov

Today, we’re excited to announce HTMLRewriter beta — a streaming HTML parser with an easy to use selector based JavaScript API for DOM manipulation, available in the Cloudflare Workers runtime.For those of you who are unfamiliar, Cloudflare Workers is a lightweight serverless platform that allows developers to leverage Cloudflare’s network…

¡Bienvenidos a Latinflare!

September 30, 2019 by Hady Mendez

Hady Mendez

Our StoryWhen I first began interviewing with Cloudflare in the Spring of 2019, I came across a Cloudflare blog post announcing Proudflare, the company’s LGBTQIA+ Employee Resource Group (ERG). The post gave me a clear sense of the company’s commitment to diversity and inclusion. I could tell this was a…

PDFex: Major Security Flaws in PDF Encryption

September 30, 2019September 30, 2019 by Jens Müller

Jens Müller

After investigating the security of PDF signatures, we had a deeper look at PDF encryption. In cooperation with our friends from Münster University of Applied Sciences, we discovered severe weaknesses in the PDF encryption standard which lead to full plaintext exfiltration in an active-attacker scenario.To guarantee confidentiality, PDF files can be…

German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting

September 28, 2019 by BrianKrebs

BrianKrebs

German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two…

Cloudflare’s protection against a new Remote Code Execution vulnerability (CVE-2019-16759) in vBulletin

September 28, 2019 by Alex Cruz Farmer

Alex Cruz Farmer

Cloudflare has released a new rule as part of its Cloudflare Specials Rulesets, to protect our customers against a high-severity vulnerability in vBulletin. A new zero-day vulnerability was discovered for vBulletin, a proprietary Internet forum software. By exploiting this vulnerability, bad actors could potentially gain privileged access and control to…

#WIBattack: Not only [email protected] Browser, but also WIB SIM toolKit is vulnerable to SimJacker attacks

September 28, 2019 by Andrea Fortuna

Andrea Fortuna

Do you remember the Simjacker vulnerability, that resides in the [email protected] Browser toolkit, installed on a variety of SIM cards provided by mobile operators in at least 30 countries? Well, a researcher at Ginno Security Lab has revealed that another SIM toolkit, called Wireless Internet Browser (WIB), can also be…

Birthday Week 2019 Wrap-up

September 27, 2019 by Jake Anderson

Jake Anderson

This week we celebrated Cloudflare’s 9th birthday by launching a variety of new offerings that support our mission: to help build a better Internet. Below is a summary recap of how we celebrated Birthday Week 2019.Cleaning up bad botsEvery day Cloudflare protects over 20 million Internet properties from malicious bots,…

Checkm8: a new ‘unpatchable’ jailbreak for all iOS devices from iPhone 4s to iPhone X

September 27, 2019 by Andrea Fortuna

Andrea Fortuna

The security expert Axi0mX has released a new jailbreak, dubbed Checkm8, that works on all iOS devices running on A5 to A11 chipsets: so all Apple products released between 2011 and 2017, including iPhone models from 4S to X. The exploit was released for free on GitHub: the researcher described it as a “permanent…

MyPayrollHR CEO Arrested, Admits to $70M Fraud

September 27, 2019 by BrianKrebs

BrianKrebs

Earlier this month, employees at more than 1,000 companies saw one or two paycheck’s worth of funds deducted from their bank accounts after the CEO of their cloud payroll provider absconded with $35 million in payroll and tax deposits from customers. On Monday, the CEO was arrested and allegedly confessed…

Workers Sites: Extending the Workers platform with our own serverless building blocks

September 27, 2019 by Ashley Williams

Ashley Williams

As of today, with the Wrangler CLI, you can now deploy entire websites directly to Cloudflare Workers and Workers KV. If you can statically generate the assets for your site, think create-react-app, Jekyll, or even the WP2Static plugin, you can deploy it to our entire global network, which spans 194…

Workers Sites: deploy your website directly to our network

September 27, 2019 by Rita Kozlov

Rita Kozlov

Performance on the web has always been a battle against the speed of light — accessing a site from London that is served from Seattle, WA means every single asset request has to travel over seven thousand miles. The first breakthrough in the web performance battle was HTTP/1.1 connection keep-alive…

Podcast Episode 47: Staying Secure through Community Cooperation with GiveWP’s Matt Cromwell

September 26, 2019 by Kathy Zant

Kathy Zant

At WordCamp Sacramento, Matt Cromwell from GiveWP talked with us about how Give began, their mission of democratizing generosity, and how they handled the vulnerability disclosure from the Wordfence team. When our security researchers reached out to provide a proof of concept, the Give and Wordfence teams worked together to…

Authentication Bypass Vulnerability in GiveWP Plugin

September 26, 2019 by Chloe Chamberland

Chloe Chamberland

Description: Authentication Bypass with Information Disclosure CVSS v3.0 Score: 7.5 (High) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Plugin: GiveWP Plugin Slug: give Affected Versions: <= 2.5.4 Patched Version: 2.5.5 A few weeks ago, our Threat Intelligence team discovered a vulnerability present in GiveWP, a WordPress plugin installed on over 70,000 websites. The weakness…

HTTP/3: the past, the present, and the future

September 26, 2019 by Alessandro Ghedini

Alessandro Ghedini

During last year’s Birthday Week we announced preliminary support for QUIC and HTTP/3 (or “HTTP over QUIC” as it was known back then), the new standard for the web, enabling faster, more reliable, and more secure connections to web endpoints like websites and APIs. We also let our customers join…

1 2 3 4 Next »