Attacks/Breaches

2/24/2017
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloudflare Leaked Web Customer Data For Months

Potential scope of issue evokes comparisons to Heartbleed.

Cloudflare, a content delivery network (CDN) used by millions of websites, leaked an undetermined amount of potentially sensitive information on many of those sites for months in a security snafu that has drawn comparisons with the Heartbleed flaw of 2014.

The leaked information potentially included emails, personally identifying information, user names, passwords, private chat messages, HTTP cookies, and authentication tokens from websites using Cloudflare. Among the thousands of websites believed impacted in the leak - which security experts have dubbed "Cloudbleed" - are Uber, FitBit, OKCupid, and IPassword.

Unlike typical data breaches, at least some of the leaked data subsequently ended up getting cached by search engines like Google and Yahoo and likely by Web-scraping tools as well. That makes the data searchable to anyone on the Internet until the search engine companies and other entities that might have the data in their caches, purges it completely, security experts cautioned today.

Cloudbleed stemmed from an error in Cloudflare’s handling of a component in its CDN services for parsing HTML pages passing through its edge servers. The company parses and modifies Web pages passing through its CDN as part of a process to make them more secure and easier to handle.

The bug resulted in Cloudflare’s servers returning random chunks of information from the memories of its reverse proxies in response to HTTP requests.

Tavis Ormandy, a member of Google’s Project Zero bug hunting team, stumbled upon the issue earlier this month when conducting other research. "It looked like that if an HTML page hosted behind Cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output," Ormandy said in an alert.

Researchers from Arbor Networks described Cloudbleed as serious enough to require all Internet users to change passwords to online accounts as a precaution. "Basically, if user A accessed content from server X, user B could, in addition to the expected results from server Y, see what user A got in his responses from server X."

According to Ormandy, the bug caused Cloudflare’s CDN to spew out encryption keys, cookies, passwords, and HTTPS from major Cloudflare hosted sites. "PII was actively being downloaded by crawlers and users during normal usage. They just didn't understand what they were seeing," he noted.

Ormandy promptly reported the bug to Cloudflare, which according to its chief technology officer John Graham-Cumming put in place an initial mitigation in 47 minutes and a complete fix in under seven hours. Graham-Cumming said that in order to prevent memory content to be returned in HTTP requests, the company had to turn off three "minor" Cloudflare features—email obfuscation, Automatic HTTPS Rewrites, and Server-side Excludes – which all were using the buggy parser chain.

Graham-Cumming said the period of maximum impact was between Feb. 13 and Feb. 18, when about 1 in 3.3 million HTTP requests through Cloudflare resulted in content from memory being accidentally leaked. The bug was nevertheless significant because it was possible that the leaked memory contained sensitive information that was then cached by search engines, he conceded.

Security experts reacting to the bug disclosure appeared in general agreement that it was a serious issue. One big concern: it's not clear just how long Cloudflare’s servers have been leaking data.

Gunter Ollman, chief security officer of Vectra Network, says that based on Cloudflare’s description of the problem, it is likely that the issue has lasted for a year. "It is unclear whether the vulnerability had been exploited by malicious actors before Google’s alert to Cloudflare," he said in a statement.

Regardless of how long the leaks may have been occurring, search engine companies and data caching providers will need to purge erroneous and confidential data from their caches, he said.

Online asset management firm OutsideIntel estimated that that over 5.3 million domains were potentially exposed to the issue. The site has a link to a master list of potentially exposed sites.

Because of the how widely used CloudFlare’s CDN service is, it is nearly impossible for Internet users to determine whether their data might have been caught up in the leaks, Arbor said in its alert.

"For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day," Arbor said. "Pretty much all of them."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ludivina
100%
0%
Ludivina,
User Rank: Strategist
2/27/2017 | 7:37:24 PM
Re: Lost rank Instagram followers
When this happened, 2 of my websites were caught by it and lost huge rank and I was open for attacks...
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:43:45 PM
caching
"Regardless of how long the leaks may have been occurring, search engine companies and data providers will need to purge erroneous and confidential data from their caches"

Article makes a good point, why would cach have this sensitive inforation, it should not be presistent. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:41:43 PM
Re: OMG.. 192.168.l.l
" what should I do now?"

I think most are cleared, you may still need to check in with your users to change their passwords.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:40:38 PM
Cloudflare and impact
 

A code error in Cloudflare platform putting everybody at risk in a big way should be a real warning for all of us, the way we develop applications and system has to change to avoid these types of problems.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:40:19 PM
Re: Cloudflare sucks for 192.168.l.l
"How CloudFlare can be such irresponsible"

this is a good question, is there no qaulity and testing before these codes are being deployed to masses. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:36:30 PM
Cloudflare
 

Who would think Cloudflare is utilized this much m=by many companies.

 
mikeroch
100%
0%
mikeroch,
User Rank: Apprentice
2/24/2017 | 9:56:43 PM
OMG.. 192.168.l.l
Hello, I am using cloudflare on most of my sites, just reading such a shocking stuff here, I am worried now, what should I do now? and what's threat exactly to my users details? Thanks in advance.
Roon215
50%
50%
Roon215,
User Rank: Apprentice
2/24/2017 | 8:44:45 PM
Cloudflare sucks for 192.168.l.l
How CloudFlare can be such irresponsible, I am using CloudFlare on 50% of my site and now I am worried for my data. Such a joke !!!!
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19326
PUBLISHED: 2018-11-17
Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
CVE-2018-19274
PUBLISHED: 2018-11-17
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19324
PUBLISHED: 2018-11-17
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...