Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/24/2017
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloudflare Leaked Web Customer Data For Months

Potential scope of issue evokes comparisons to Heartbleed.

Cloudflare, a content delivery network (CDN) used by millions of websites, leaked an undetermined amount of potentially sensitive information on many of those sites for months in a security snafu that has drawn comparisons with the Heartbleed flaw of 2014.

The leaked information potentially included emails, personally identifying information, user names, passwords, private chat messages, HTTP cookies, and authentication tokens from websites using Cloudflare. Among the thousands of websites believed impacted in the leak - which security experts have dubbed "Cloudbleed" - are Uber, FitBit, OKCupid, and IPassword.

Unlike typical data breaches, at least some of the leaked data subsequently ended up getting cached by search engines like Google and Yahoo and likely by Web-scraping tools as well. That makes the data searchable to anyone on the Internet until the search engine companies and other entities that might have the data in their caches, purges it completely, security experts cautioned today.

Cloudbleed stemmed from an error in Cloudflare’s handling of a component in its CDN services for parsing HTML pages passing through its edge servers. The company parses and modifies Web pages passing through its CDN as part of a process to make them more secure and easier to handle.

The bug resulted in Cloudflare’s servers returning random chunks of information from the memories of its reverse proxies in response to HTTP requests.

Tavis Ormandy, a member of Google’s Project Zero bug hunting team, stumbled upon the issue earlier this month when conducting other research. "It looked like that if an HTML page hosted behind Cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output," Ormandy said in an alert.

Researchers from Arbor Networks described Cloudbleed as serious enough to require all Internet users to change passwords to online accounts as a precaution. "Basically, if user A accessed content from server X, user B could, in addition to the expected results from server Y, see what user A got in his responses from server X."

According to Ormandy, the bug caused Cloudflare’s CDN to spew out encryption keys, cookies, passwords, and HTTPS from major Cloudflare hosted sites. "PII was actively being downloaded by crawlers and users during normal usage. They just didn't understand what they were seeing," he noted.

Ormandy promptly reported the bug to Cloudflare, which according to its chief technology officer John Graham-Cumming put in place an initial mitigation in 47 minutes and a complete fix in under seven hours. Graham-Cumming said that in order to prevent memory content to be returned in HTTP requests, the company had to turn off three "minor" Cloudflare features—email obfuscation, Automatic HTTPS Rewrites, and Server-side Excludes – which all were using the buggy parser chain.

Graham-Cumming said the period of maximum impact was between Feb. 13 and Feb. 18, when about 1 in 3.3 million HTTP requests through Cloudflare resulted in content from memory being accidentally leaked. The bug was nevertheless significant because it was possible that the leaked memory contained sensitive information that was then cached by search engines, he conceded.

Security experts reacting to the bug disclosure appeared in general agreement that it was a serious issue. One big concern: it's not clear just how long Cloudflare’s servers have been leaking data.

Gunter Ollman, chief security officer of Vectra Network, says that based on Cloudflare’s description of the problem, it is likely that the issue has lasted for a year. "It is unclear whether the vulnerability had been exploited by malicious actors before Google’s alert to Cloudflare," he said in a statement.

Regardless of how long the leaks may have been occurring, search engine companies and data caching providers will need to purge erroneous and confidential data from their caches, he said.

Online asset management firm OutsideIntel estimated that that over 5.3 million domains were potentially exposed to the issue. The site has a link to a master list of potentially exposed sites.

Because of the how widely used CloudFlare’s CDN service is, it is nearly impossible for Internet users to determine whether their data might have been caught up in the leaks, Arbor said in its alert.

"For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day," Arbor said. "Pretty much all of them."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ludivina
100%
0%
Ludivina,
User Rank: Strategist
2/27/2017 | 7:37:24 PM
Re: Lost rank Instagram followers
When this happened, 2 of my websites were caught by it and lost huge rank and I was open for attacks...
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:43:45 PM
caching
"Regardless of how long the leaks may have been occurring, search engine companies and data providers will need to purge erroneous and confidential data from their caches"

Article makes a good point, why would cach have this sensitive inforation, it should not be presistent. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:41:43 PM
Re: OMG.. 192.168.l.l
" what should I do now?"

I think most are cleared, you may still need to check in with your users to change their passwords.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:40:38 PM
Cloudflare and impact
 

A code error in Cloudflare platform putting everybody at risk in a big way should be a real warning for all of us, the way we develop applications and system has to change to avoid these types of problems.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:40:19 PM
Re: Cloudflare sucks for 192.168.l.l
"How CloudFlare can be such irresponsible"

this is a good question, is there no qaulity and testing before these codes are being deployed to masses. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:36:30 PM
Cloudflare
 

Who would think Cloudflare is utilized this much m=by many companies.

 
mikeroch
100%
0%
mikeroch,
User Rank: Apprentice
2/24/2017 | 9:56:43 PM
OMG.. 192.168.l.l
Hello, I am using cloudflare on most of my sites, just reading such a shocking stuff here, I am worried now, what should I do now? and what's threat exactly to my users details? Thanks in advance.
Roon215
50%
50%
Roon215,
User Rank: Apprentice
2/24/2017 | 8:44:45 PM
Cloudflare sucks for 192.168.l.l
How CloudFlare can be such irresponsible, I am using CloudFlare on 50% of my site and now I am worried for my data. Such a joke !!!!
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.