Cloudflare Leak: How Bad Is CloudBleed And What You Should Do

Web performance and security company Cloudflare has confirmed on Thursday, Feb. 23 that a bug in its code caused passwords, personal information, cookies, and other sensitive data to be leaked all over the internet.

Cloudflare serves more than 5.5 million websites so one can't help but worry if the Cloudbleed security flaw can be as disastrous as Heartbleed, a serious bug that put personal and financial data at risk in 2014. The company is also used by popular brands such as Uber, Fitbit, 1Password, and OKCupid.

How Cloudbleed Was Discovered And Fixed

The problem was discovered by Google Project Zero researcher Tavis Ormandy.

"I was working on a corpus distillation project, when I encountered some data that didn't match what I had been expecting. It's not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data...but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code," Ormandy wrote.

"We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted Cloudflare security," he added.

Ormandy reported the problem to Cloudflare and the company immediately took the necessary steps to address the issue.

The problem was quickly identified according to Cloudflare. The company turned off features such as email obfuscation, Automatic HTTPS Rewrites, and Server-side Excludes that used the HTML parser chain that caused the leakage. Cloudflare claims no customer SSL private keys were leaked.

"A cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause, to understand the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses," wrote CTO John Graham-Cumming wrote in a blog.

Cloudbleed was completely plugged within seven hours.

Anatomy Of The Small But Terrible Bug

Cloudflare has a lengthy discussion about the anatomy of the parser bug. The root cause is a buffer overrun where a very tiny patch of code caused a monster of a problem.

It was a case of using ">=" instead of "==" in the code that, in English, allowed a chunk of data to go where they were not supposed to go. It's like having a problematic divider between a warm and cold pool that allowed water from one side to leak onto the other side.

Cloudbleed might have started as early as September 2016, according to reports. Cloudlflare disclosed that the greatest period of impact was from Feb. 13 to Feb. 18 with around 1 in 3.3 million HTTP requests through the platform, potentially causing leakage.

Both Ormandy and Cloudflare shared that aside from the bug itself, data cached by Google and other search engines made the cleanup process complicated.

What Should You Do?

Perhaps Cloudbleed is not as bad as Heartbleed, but undeniably it was a disaster in the making if the kill switch was not flicked sooner.

If you want to know what websites are affected, this list of sites possibly affected by the Cloudflare leak will come in handy.

As for the action you need to take, it will be best to play safe and change your passwords, especially for those affected sites.

While the leak might not be as widespread as Heartbleed, only time will tell if there were holes left unplugged.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics