Good morning! This post is a cross-reference to the email that we sent out this morning. Have a great week!

Cloudbleed: Is DivvyHQ Affected?

We take security very seriously at DivvyHQ. Although the majority of data that is stored on DIvvyHQ servers is meant for public consumption (that's the nature of content marketing, right?), there are probably plenty of things that should not ever see the light of day. And we want to continue to ensure they never do.

If you run in any technical circles, perhaps you've already heard about Cloudbleed, the latest global data leak incident involving Cloudflare, a technology security provider. Alongside companies like Uber, OKCupid and Fitbit, we utilize Cloudflare's services, hence this update email.

An official incident report was released yesterday (2/23/17), but it's a long and technical article, so I wanted to write a quick summary of what went wrong and assure you that no DivvyHQ data was leaked or compromised in any way.

We are completely unaffected by this vulnerability; however, because we use Cloudflare for preventing Distributed Denial of Service (DDoS) and Cross-Site Scripting (XSS) attacks, we wanted to make sure we were transparent about what happened.

A memory-leak-based vulnerability was discovered by Google's technology watchdog division. The important part is to know that a piece of code was running that caused an unexpected (and unaccounted for) result. Google alerted Cloudflare to the issue last week and a fix was in place within seven hours. Since then, Cloudflare has been working with search engine providers to scrub search results of the exposed data. They were also able to ensure that this was only happening to approximately 1 in 3,300,000 HTTP requests.

Cloudflare & DivvyHQ

Here's a quick overview of how Cloudflare works. A request comes from you (our end users) to app.divvyhq.com, which is actually handled first by Cloudflare. Cloudflare interprets DivvyHQ's HTML and JavaScript to make sure the user is being served the correct code (this is the XSS prevention I mentioned above). This parsing also does things like obfuscating email addresses from web spiders / crawlers, among other things. During this processing, there was a piece of code that ran indefinitely until it ran into a memory issue (effectively, it ran out of memory). This non-processed code was then forwarded to the end user's browser. Although an end user would not have noticed this code, search engines started caching these "bad" pages. And as a result, user authentication data was being revealed.

We have received an email directly from Cloudflare and have also conducted our own research, and are positively unaffected by this vulnerability. If you have any questions or need any help understanding this vulnerability, please reach out to us via our support channels. However, just to reiterate, DivvyHQ was not affected by this vulnerability and all of your account data is secure.

Thanks for your time and have a great weekend!

Nick Mallare, Chief Technology Officer
nick@divvyhq.com