FacebookTwitterLinkedIn

CloudFlare CloudBleed Exposes Private User Data

Karolis Liucveikis Written by on

A security researcher at Google was doing security research when he noticed that data coming from CloudFlare included passwords and other private data. He conferred with his colleges who confirmed the problem. Then he quickly got on Twitter and sent an urgent message to CloudFlare asking them to contact him right away.

The media was quick to proclaim this another HeartBleed bug and sounded the alarm.

CloudFlare is a Content Distribution Network (CDN) used by such mega companies as Uber. Many smaller companies use it too. What CloudFlare does is route web traffic through its global network thus bringing the web pages closer to its users and reducing latency. In other words it makes web pages load faster in, say, Germany than having to make the round trip to Silicon Valley. That shaves as much as 500 milliseconds (½ second) off the load time.

This episode was an embarrassment for CloudFlare. The data that was leaked included instant messages from dating websites like OKCupid. It also included cookies, encryption keys, and authentication tokens.

CloudFlare says they fixed the problem in 12 hours. In the meantime they turned off the service that rewrites web pages for its client. So the web pages still worked. They were just not rewritten in any way, which is one service CloudFlare provides.

CloudFlare says the bug only affected 1 out of each 300,000 web pages. It was caused by a parser error. The parser fell apart when there were unmatched HTML tags. In other words when a web page contained something like <script> without the corresponding </script> the parser overran its memory. Then it returned whatever data was in the machine’s memory, like private data.

The reason the media dubbed this CloudBleed is it was similar to the HeartBleed bug that received worldwide attention in 2014. That was a problem in the OpenSSL opensource cryptographic software used by almost all web servers to do SSL encryption for HTTPS web pages.

cloudbleed bug

The problem existed from September 2016 until February 2017, which is when Tavis Ormandy of Google discovered it. CloudFlare says there was no incidence of any hacker using this data to do hacking. But it would seem doubtful they could measure that as those passwords could have been used anywhere.

The average user would not have seen this. Only a person with developer knowledge would know how to use the browser debugging tools to look at HTTP headers. That is where cookies and other items are stored.  The leaked data did not appear in the actual HTML pages.

Another problem is that Google, Bing, and Yahoo had cached this data in their search engines.  So they had to work with CloudFlare to identity and then purge that cached data from its servers.

CloudFlare customers do not need to do anything to their websites to fix this issue as it was in CloudFlare and not the customer’s web hosting site.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog