Thursday, February 23, the internet content distribution network provider (CDN) Cloudflare, which is used by Vivaldi to host some of our websites, disclosed that their servers had for some months been leaking sensitive data, such as passwords, cookies, form submissions and some forms of encryption keys from some sites in HTTP responses from unrelated sites. The problem has been fixed since February 18, after they were notified about the issue by one of Google’s security researchers.
The leaks, most likely, were random, and it is impossible to say whether or not the information for a given user has been leaked or if it was abused by someone who may have discovered the issue. When we became aware of the issue, we investigated how this impacted our sites and our users. We determined that:
- Session cookies for our websites could have leaked, and we have therefore deleted the sessions that might be affected. For the most part, this will not be visible for Vivaldi users visiting our community sites as their session is automatically regenerated.
- The passwords of users that logged into Vivaldi.net between September 21 and November 4, 2016, may be affected, and to be on the safe side, we are asking these users to change their password the next time they log in using the “Recover password” link: login.vivaldi.net/profile/id/userInfoView.
If they had a currently valid login session this morning, we have expired their session to force them to log in again. Apologies!
After November 4, we changed to a login system that did not pass through Cloudflare. If you have used the affected password on other services, you should change your password on those services, too. Please make sure you choose a different password for each service you use.
- We also did some internal changes to systems that might be affected.
At present, there are no indications that any Vivaldi.net accounts have been compromised due to this issue. We are taking the steps we outlined above to be on the safe side.
The issue has become known as “Cloudbleed” – a reference to the name given to a similar issue with OpenSSL’s implementation of the Heartbeat TLS extension a few years ago, named “Heartbleed”. The present issue was caused by buffer overruns (reading past the end of memory buffers) in code used by Cloudflare to parse HTML in some of their services. The memory read could contain data from previous sessions unrelated to the site being accessed. The issue has been present, with various degrees of severity, since September 2016.
More information on this issue:
As we received quite a few questions, we address most of them here: vivaldi.com/blog/cloudbleed-addressing-your-questions
If you have any issue, logging in one of vivaldi.net services, please get in touch with us here: vivaldi.com/contact and share your username and email address so we can help you further.
Thanks in advance.