Albert Pedersen

@alex_roqo Workers had nothing to do with the vulnerability. The proxy was setup to allow dynamically targeting non-standard ports. You can also change the port without workers using Origin Rules: #destination-port" target="_blank" rel="nofollow noopener">developers.cloudflare.com/rules/origin-r…

@AlbertSPedersen Nice trick! Did it only work on Cloudflare workers when they tried to connect to external host with 'spoofed' DNS record?

This is one of the more interesting bugs I've found. Quite impactful too. Link to the report on HackerOne: hackerone.com/reports/1785260

On April 18, 2023, I discovered a critical vulnerability in Cloudflare CASB that enabled me to view sensitive information about other customers' Microsoft and GitHub organizations. The issue was promptly fixed by the Cloudflare team. Here is the write-up: albertpedersen.com/blog/cloudflar…

@TimLeland @eastdakota @dok2001 @Cloudflare The customer can spend time learning how to manually add DNS records (assuming their hosting provider even supports that) or wait out the 60-day lock imposed by ICANN and transfer to a different registrar. Either way, the customer is left with a sour taste in their mouth. 4/4

@TimLeland @eastdakota @dok2001 @Cloudflare The problem is that this limitation is not made clear during registration. Almost every other registrar allows you to change name servers, so the customer has no reason to expect Cloudflare won't also let them do that. Now the domain is stuck on Cloudflare Registrar. 3/4

Why does Cloudflare Registrar not clearly inform customers that they cannot change name servers? This restriction is hidden away in section 6.1 of the Domain Registration Agreement. It should be mentioned in the UI when you register a domain. @eastdakota @dok2001 @Cloudflare

@InnerHack Good question. I was running a traceroute and noticed one of the hops used this IP address format. I looked it up and found they were called IPv4-mapped IPv6 addresses. Then I wondered if it could be used in DNS record and, if yes, how Cloudflare would handle it.

@AlbertSPedersen how did you even think about this kind of ipv6 address in the first place?

@jgrahamc @Cloudflare As it stands right now, I don't feel particularly safe entering my personal or payment information on a site using Cloudflare, simply because I can't know whether the origin connection is encrypted. This issue could be alleviated with a simple header: twitter.com/sitemeer/statu…

@jgrahamc @Cloudflare Correct me if I'm wrong, but I don't believe this addresses the huge number of sites on "Flexible" because their origin does not support SSL. These sites will keep deceiving users who see a padlock in the address bar and assume the connection is securely end-to-end encrypted.

As we are crossing into 2023, what would you like Cloudflare to launch in the upcoming year? #CloudflareChat

@ejcx_ @Cloudflare I will miss occasionally seeing you in my reports on HackerOne. Good luck!

@ArtemR @Hacker0x01 2/2 Low or medium severity bugs can take a couple of weeks to get fixed, but they're always happy to give a status update if you ask for it. (For context, I am currently #1 on Cloudflare's HackerOne program with 19 resolved reports.)

@ArtemR @Hacker0x01 1/2 Cloudflare usually triages reports on the same or next day no matter the severity. The time to resolution, however, depends on the severity and complexity of the fix. Same-day fixes for very critical bugs is normal, but it takes a couple of days for slightly less severe bugs.

I found a vulnerability in @Cloudflare R2 and was awarded a $750 bounty on @Hacker0x01. Here's the issue that was reported and fixed cloudflarestatus.com/incidents/trlp…. Pretty impressed with the speed of acknowledgement and resolution - within hours of my report.

@robertcpadgett This has now been fixed. Sorry for the delay.

@AlbertSPedersen Thanks!

@AlbertSPedersen Hi, I'm trying to use this tool liberate-the-hostname.pages.dev you created and need more informatiin regarding which dns records need to be added. Thanks! I appreciate your help

@Qorne Hi, I've unfortunately run into an account limit which I'm working on getting raised. It should hopefully start working again later today. Sorry for the inconvenience.

@AlbertSPedersen is this service still working? liberate-the-hostname.pages.dev

Hijacking email with #Cloudflare Email Routing. albertpedersen.com/blog/hijacking… via @AlbertSPedersen

@JoshInSecurity 🙂👋