On February 17 the Google Project Zero researcher Tavis Ormandy disclosed a serious bug in Cloudflare infrastructure, so-called Cloudbleed.
Ormandy discovered that Cloudflare was leaking a wide range of sensitive information, including authentication cookies and login credentials.
“On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn’t match what I had been expecting. It’s not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data…but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.” Ormandy wrote in a security advisory. “We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.”
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
The flaw was introduced in September 2016, but it had the greatest impact between February 13 and February 18, when one in every 3.3 million requests going through Cloudflare’s systems may have resulted in memory leakage. The bug itself was addressed within hours, but it took several days to contain the incident due to the fact that leaked data had been cached by search engines.
Cloudflare co-founder and CEO Matthew Prince published a detailed blog post to analyze this “extremely serious bug” with a potentially massive impact.
The experts at Cloudflare analyzed the logs of the servers and confirmed that no evidence of malicious exploitation and that the vast majority of customers were not impacted.
“Given that the data that leaked was random on a per request basis, most requests would return nothing interesting. But, every once in awhile, the data that leaked may return something of interest to a hacker.” reads the analysis published by Cloudflare.
“If a hacker were aware of the bug before it was patched and trying to exploit it then the best way for them to do so would be to send as many requests as possible to a page that contained the set of conditions that would trigger the bug. They could then record the results. Most of what they would get would be useless, but some would contain very sensitive information,”.
“The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notified by Google’s Project Zero team and were able to patch it,”.
The Cloudbleed flaw was exploited more than 1.2 million times from 6,500 sites potentially exposed to the issue.
According to the experts, every time customer data is present, the company reaches out to the customer to share the data that it has discovered and provides the necessary support to mitigate any impact of the accidental exposure.
“Generally, if customer data was exposed, invalidating session cookies and rolling any internal authorization tokens is the best advice to mitigate the largest potential risk based on our investigation so far.” reads CloudFlare.
Users who are concerned that their data may have been exposed by Cloudbleed are invited to give a look at the list of potentially affected websites, meantime the experts at Cloudflare are still investigating the incident. Ormandy believes the company downplayed the risk.
“It is not correct to conclude that no passwords, credit cards, health records, social security numbers, or customer encryption keys were ever exposed,” Prince added. “However, if there was any exposure, based on the data we’ve reviewed, it does not appear to have been widespread. We have also not had any confirmed reports of third parties discovering any of these sensitive data types on any cached pages.”
Researchers at CloudFlare have seen approximately 150 customers’ data on the more than 80,000 cached pages they have purged from search engine caches
(Security Affairs – Cloudbleed , hacking)