CloudFlare CloudBleed Exposes Private User Data
A security researcher at Google was doing security research when he noticed that data coming from CloudFlare included passwords and other private data. He conferred with his colleges who confirmed the problem. Then he quickly got on Twitter and sent an urgent message to CloudFlare asking them to contact him right away.
The media was quick to proclaim this another HeartBleed bug and sounded the alarm.
CloudFlare is a Content Distribution Network (CDN) used by such mega companies as Uber. Many smaller companies use it too. What CloudFlare does is route web traffic through its global network thus bringing the web pages closer to its users and reducing latency. In other words it makes web pages load faster in, say, Germany than having to make the round trip to Silicon Valley. That shaves as much as 500 milliseconds (½ second) off the load time.
This episode was an embarrassment for CloudFlare. The data that was leaked included instant messages from dating websites like OKCupid. It also included cookies, encryption keys, and authentication tokens.
CloudFlare says they fixed the problem in 12 hours. In the meantime they turned off the service that rewrites web pages for its client. So the web pages still worked. They were just not rewritten in any way, which is one service CloudFlare provides.
CloudFlare says the bug only affected 1 out of each 300,000 web pages. It was caused by a parser error. The parser fell apart when there were unmatched HTML tags. In other words when a web page contained something like <script> without the corresponding </script> the parser overran its memory. Then it returned whatever data was in the machine’s memory, like private data.
The reason the media dubbed this CloudBleed is it was similar to the HeartBleed bug that received worldwide attention in 2014. That was a problem in the OpenSSL opensource cryptographic software used by almost all web servers to do SSL encryption for HTTPS web pages.
The problem existed from September 2016 until February 2017, which is when Tavis Ormandy of Google discovered it. CloudFlare says there was no incidence of any hacker using this data to do hacking. But it would seem doubtful they could measure that as those passwords could have been used anywhere.
The average user would not have seen this. Only a person with developer knowledge would know how to use the browser debugging tools to look at HTTP headers. That is where cookies and other items are stored. The leaked data did not appear in the actual HTML pages.
Another problem is that Google, Bing, and Yahoo had cached this data in their search engines. So they had to work with CloudFlare to identity and then purge that cached data from its servers.
CloudFlare customers do not need to do anything to their websites to fix this issue as it was in CloudFlare and not the customer’s web hosting site.