As described in our February 27, 2017 blog post regarding the Cloudflare information leak (“Cloudbleed”), a bug within the code running on Cloudflare edge servers was discovered by a Google security researcher.
Upon further investigation into the use of Cloudflare on DNAnexus we found, on February 27th at 2:39 PM PST, that contrary to what we had indicated in our blog post, HTTP requests to platform.dnanexus.com served by Cloudflare edge servers in some cases included session tokens with authentication information. We revoked all customer session tokens at 5:06 PM PST that same day, at which point all requests to DNAnexus required re-authentication. All existing tokens were unusable after this time.
On February 23rd Cloudflare provided their most recent update and stated that there was no evidence of exploitation; there have been no updates since that deviate from this information. Additionally, Cloudflare has completed analysis of edge server log data, and on March 3rd confirmed that platform.dnanexus.com was not found to have been impacted.
Our CDN usage design has been reviewed and we continue to believe no customer has been impacted by the incident. Any potential new exposure has been eliminated and there continues to be no evidence of exploitation.
We know how critical information security is to our customers so if you have any questions about your account, please do not hesitate to contact our customer support team at support@dnanexus.com.
