Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/24/2017
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloudflare Leaked Web Customer Data For Months

Potential scope of issue evokes comparisons to Heartbleed.

Cloudflare, a content delivery network (CDN) used by millions of websites, leaked an undetermined amount of potentially sensitive information on many of those sites for months in a security snafu that has drawn comparisons with the Heartbleed flaw of 2014.

The leaked information potentially included emails, personally identifying information, user names, passwords, private chat messages, HTTP cookies, and authentication tokens from websites using Cloudflare. Among the thousands of websites believed impacted in the leak - which security experts have dubbed "Cloudbleed" - are Uber, FitBit, OKCupid, and IPassword.

Unlike typical data breaches, at least some of the leaked data subsequently ended up getting cached by search engines like Google and Yahoo and likely by Web-scraping tools as well. That makes the data searchable to anyone on the Internet until the search engine companies and other entities that might have the data in their caches, purges it completely, security experts cautioned today.

Cloudbleed stemmed from an error in Cloudflare’s handling of a component in its CDN services for parsing HTML pages passing through its edge servers. The company parses and modifies Web pages passing through its CDN as part of a process to make them more secure and easier to handle.

The bug resulted in Cloudflare’s servers returning random chunks of information from the memories of its reverse proxies in response to HTTP requests.

Tavis Ormandy, a member of Google’s Project Zero bug hunting team, stumbled upon the issue earlier this month when conducting other research. "It looked like that if an HTML page hosted behind Cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output," Ormandy said in an alert.

Researchers from Arbor Networks described Cloudbleed as serious enough to require all Internet users to change passwords to online accounts as a precaution. "Basically, if user A accessed content from server X, user B could, in addition to the expected results from server Y, see what user A got in his responses from server X."

According to Ormandy, the bug caused Cloudflare’s CDN to spew out encryption keys, cookies, passwords, and HTTPS from major Cloudflare hosted sites. "PII was actively being downloaded by crawlers and users during normal usage. They just didn't understand what they were seeing," he noted.

Ormandy promptly reported the bug to Cloudflare, which according to its chief technology officer John Graham-Cumming put in place an initial mitigation in 47 minutes and a complete fix in under seven hours. Graham-Cumming said that in order to prevent memory content to be returned in HTTP requests, the company had to turn off three "minor" Cloudflare features—email obfuscation, Automatic HTTPS Rewrites, and Server-side Excludes – which all were using the buggy parser chain.

Graham-Cumming said the period of maximum impact was between Feb. 13 and Feb. 18, when about 1 in 3.3 million HTTP requests through Cloudflare resulted in content from memory being accidentally leaked. The bug was nevertheless significant because it was possible that the leaked memory contained sensitive information that was then cached by search engines, he conceded.

Security experts reacting to the bug disclosure appeared in general agreement that it was a serious issue. One big concern: it's not clear just how long Cloudflare’s servers have been leaking data.

Gunter Ollman, chief security officer of Vectra Network, says that based on Cloudflare’s description of the problem, it is likely that the issue has lasted for a year. "It is unclear whether the vulnerability had been exploited by malicious actors before Google’s alert to Cloudflare," he said in a statement.

Regardless of how long the leaks may have been occurring, search engine companies and data caching providers will need to purge erroneous and confidential data from their caches, he said.

Online asset management firm OutsideIntel estimated that that over 5.3 million domains were potentially exposed to the issue. The site has a link to a master list of potentially exposed sites.

Because of the how widely used CloudFlare’s CDN service is, it is nearly impossible for Internet users to determine whether their data might have been caught up in the leaks, Arbor said in its alert.

"For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day," Arbor said. "Pretty much all of them."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ludivina
100%
0%
Ludivina,
User Rank: Strategist
2/27/2017 | 7:37:24 PM
Re: Lost rank Instagram followers
When this happened, 2 of my websites were caught by it and lost huge rank and I was open for attacks...
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:43:45 PM
caching
"Regardless of how long the leaks may have been occurring, search engine companies and data providers will need to purge erroneous and confidential data from their caches"

Article makes a good point, why would cach have this sensitive inforation, it should not be presistent. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:41:43 PM
Re: OMG.. 192.168.l.l
" what should I do now?"

I think most are cleared, you may still need to check in with your users to change their passwords.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:40:38 PM
Cloudflare and impact
 

A code error in Cloudflare platform putting everybody at risk in a big way should be a real warning for all of us, the way we develop applications and system has to change to avoid these types of problems.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:40:19 PM
Re: Cloudflare sucks for 192.168.l.l
"How CloudFlare can be such irresponsible"

this is a good question, is there no qaulity and testing before these codes are being deployed to masses. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:36:30 PM
Cloudflare
 

Who would think Cloudflare is utilized this much m=by many companies.

 
mikeroch
100%
0%
mikeroch,
User Rank: Apprentice
2/24/2017 | 9:56:43 PM
OMG.. 192.168.l.l
Hello, I am using cloudflare on most of my sites, just reading such a shocking stuff here, I am worried now, what should I do now? and what's threat exactly to my users details? Thanks in advance.
Roon215
50%
50%
Roon215,
User Rank: Apprentice
2/24/2017 | 8:44:45 PM
Cloudflare sucks for 192.168.l.l
How CloudFlare can be such irresponsible, I am using CloudFlare on 50% of my site and now I am worried for my data. Such a joke !!!!
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.