Cloudflare security vulnerability: our response

Join us May 3-6 in San Francisco at I Annotate 2017, the fifth annual conference for annotation technologies and practices with a keynote from Esther Dyson. This year’s themes are: increasing user engagement in publication, science, and research, empowering fact checking in journalism, and building digital literacy in education.

This morning we have been made aware of a security vulnerability affecting Cloudflare, a major internet infrastructure company and our Content Delivery Network (CDN) provider.

All traffic to Hypothesis passes through Cloudflare’s servers in order to improve the performance and security of our service. Unfortunately, it appears that a bug in Cloudflare’s software may have leaked some traffic that should have been private into the pages it served for other customers’ sites. Put simply: it’s possible that communications that should have been private between our users and Hypothesis were not.

At the moment we have no evidence to suggest that any Hypothesis user’s private data was leaked as part of this vulnerability, but we are taking steps to minimise the risks posed by any possible disclosure.

As a precautionary measure, we rotated the secret keys for our web service at 09:50 UTC today in order to ensure that any session keys which may have been leaked cannot be reused. Unfortunately, this means that if you were logged into Hypothesis, you will have been logged out and will need to log in again.

We will update this blog post with additional information as and when we have it.

Technical details of the vulnerability can be found on Cloudflare’s website.

Update Feb 24th 12:07 UTC: We have found no evidence that any Hypothesis user data was leaked in this incident, but we recommend that any user with residual concerns reset their own password. Out of an abundance of caution we have taken this step with our own staff accounts.

Update Feb 24th 13:59 UTC: We have received confirmation from Cloudflare that “[our] domain is not one of the domains where we have discovered exposed data in any third party caches.” This means that although a possibility remains that some private user data was leaked in this incident, the probability of this having happened in practice is vanishingly small.