Attacks/Breaches

2/24/2017
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloudflare Leaked Web Customer Data For Months

Potential scope of issue evokes comparisons to Heartbleed.

Cloudflare, a content delivery network (CDN) used by millions of websites, leaked an undetermined amount of potentially sensitive information on many of those sites for months in a security snafu that has drawn comparisons with the Heartbleed flaw of 2014.

The leaked information potentially included emails, personally identifying information, user names, passwords, private chat messages, HTTP cookies, and authentication tokens from websites using Cloudflare. Among the thousands of websites believed impacted in the leak - which security experts have dubbed "Cloudbleed" - are Uber, FitBit, OKCupid, and IPassword.

Unlike typical data breaches, at least some of the leaked data subsequently ended up getting cached by search engines like Google and Yahoo and likely by Web-scraping tools as well. That makes the data searchable to anyone on the Internet until the search engine companies and other entities that might have the data in their caches, purges it completely, security experts cautioned today.

Cloudbleed stemmed from an error in Cloudflare’s handling of a component in its CDN services for parsing HTML pages passing through its edge servers. The company parses and modifies Web pages passing through its CDN as part of a process to make them more secure and easier to handle.

The bug resulted in Cloudflare’s servers returning random chunks of information from the memories of its reverse proxies in response to HTTP requests.

Tavis Ormandy, a member of Google’s Project Zero bug hunting team, stumbled upon the issue earlier this month when conducting other research. "It looked like that if an HTML page hosted behind Cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output," Ormandy said in an alert.

Researchers from Arbor Networks described Cloudbleed as serious enough to require all Internet users to change passwords to online accounts as a precaution. "Basically, if user A accessed content from server X, user B could, in addition to the expected results from server Y, see what user A got in his responses from server X."

According to Ormandy, the bug caused Cloudflare’s CDN to spew out encryption keys, cookies, passwords, and HTTPS from major Cloudflare hosted sites. "PII was actively being downloaded by crawlers and users during normal usage. They just didn't understand what they were seeing," he noted.

Ormandy promptly reported the bug to Cloudflare, which according to its chief technology officer John Graham-Cumming put in place an initial mitigation in 47 minutes and a complete fix in under seven hours. Graham-Cumming said that in order to prevent memory content to be returned in HTTP requests, the company had to turn off three "minor" Cloudflare features—email obfuscation, Automatic HTTPS Rewrites, and Server-side Excludes – which all were using the buggy parser chain.

Graham-Cumming said the period of maximum impact was between Feb. 13 and Feb. 18, when about 1 in 3.3 million HTTP requests through Cloudflare resulted in content from memory being accidentally leaked. The bug was nevertheless significant because it was possible that the leaked memory contained sensitive information that was then cached by search engines, he conceded.

Security experts reacting to the bug disclosure appeared in general agreement that it was a serious issue. One big concern: it's not clear just how long Cloudflare’s servers have been leaking data.

Gunter Ollman, chief security officer of Vectra Network, says that based on Cloudflare’s description of the problem, it is likely that the issue has lasted for a year. "It is unclear whether the vulnerability had been exploited by malicious actors before Google’s alert to Cloudflare," he said in a statement.

Regardless of how long the leaks may have been occurring, search engine companies and data caching providers will need to purge erroneous and confidential data from their caches, he said.

Online asset management firm OutsideIntel estimated that that over 5.3 million domains were potentially exposed to the issue. The site has a link to a master list of potentially exposed sites.

Because of the how widely used CloudFlare’s CDN service is, it is nearly impossible for Internet users to determine whether their data might have been caught up in the leaks, Arbor said in its alert.

"For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day," Arbor said. "Pretty much all of them."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ludivina
100%
0%
Ludivina,
User Rank: Strategist
2/27/2017 | 7:37:24 PM
Re: Lost rank Instagram followers
When this happened, 2 of my websites were caught by it and lost huge rank and I was open for attacks...
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:43:45 PM
caching
"Regardless of how long the leaks may have been occurring, search engine companies and data providers will need to purge erroneous and confidential data from their caches"

Article makes a good point, why would cach have this sensitive inforation, it should not be presistent. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:41:43 PM
Re: OMG.. 192.168.l.l
" what should I do now?"

I think most are cleared, you may still need to check in with your users to change their passwords.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:40:38 PM
Cloudflare and impact
 

A code error in Cloudflare platform putting everybody at risk in a big way should be a real warning for all of us, the way we develop applications and system has to change to avoid these types of problems.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:40:19 PM
Re: Cloudflare sucks for 192.168.l.l
"How CloudFlare can be such irresponsible"

this is a good question, is there no qaulity and testing before these codes are being deployed to masses. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2017 | 5:36:30 PM
Cloudflare
 

Who would think Cloudflare is utilized this much m=by many companies.

 
mikeroch
100%
0%
mikeroch,
User Rank: Apprentice
2/24/2017 | 9:56:43 PM
OMG.. 192.168.l.l
Hello, I am using cloudflare on most of my sites, just reading such a shocking stuff here, I am worried now, what should I do now? and what's threat exactly to my users details? Thanks in advance.
Roon215
50%
50%
Roon215,
User Rank: Apprentice
2/24/2017 | 8:44:45 PM
Cloudflare sucks for 192.168.l.l
How CloudFlare can be such irresponsible, I am using CloudFlare on 50% of my site and now I am worried for my data. Such a joke !!!!
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.