CloudBleed – CloudFlare bug exposes sensitive data from million sites
CloudBleed – severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data. Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with their edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.
Cloudflare speeds up and protects millions of websites, APIs, SaaS services, and other properties connected to the Internet. Their Anycast technology enables benefits to scale with every server they add to their growing footprint of data centers. Moving content physically closer to visitors with their CDN is one of easiest way to improve the performance of your website and reduce load on your web servers.
Their enterprise-class DDoS protection network has 20 times more capacity than the largest DDoS attack ever recorded. Operating at the network edge, it protects against all forms of DDoS attacks. Rate Limiting gives you granular controls to detect bad traffic, customized rulesets to ensure that your legitimate visitors are not impacted, and insights to improve your security posture as attacks evolve.
Cloudflare is one of the fastest managed DNS providers in the world. The same 102 data center network that powers their CDN dramatically speeds up domain resolution for your website’s visitors. Modern SSL isn’t just for security—it can actually improve the performance of your website by leveraging features like OCSP stapling, session resumption, HTTP/2, and TLS 1.3. Accelerated Mobile Links, powered by AMP technology, activates AMP-enabled links across your entire website, loading them 3-5x faster than normal mobile pages.
All above mentioned facts and technologies are some of the key features which are provided by CloudFlare service.
What is Cloudbleed?
Dubbed Cloudbleed, the nasty flaw is named after the Heartbleed bug that was discovered in 2014, but believed to be worse than Heartbleed. Cloudbleed (also known as CloudLeak and CloudFlare Bug) is a security bug discovered on February 17, 2017 affecting Cloudflare’s reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of this data was cached by search engines.
How does CloudBleed work?
CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.
According to a Cloudflare blog post, the issue stems from the company’s decision to use a new HTML parser called cf-html. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.
Cloudflare ran into trouble when formatting the source code of cf-html and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. (The error involved a “==” in the code where there should have been a “>=”.) This means that when the software was writing data to a buffer, a limited amount of space for temporary data, it would fill up the buffer and then keep writing code somewhere else. (If you’re dying for a more technical explanation, Cloudflare laid it all out in a blog post.)
It has been also confirmed by Cloudflare that the greatest period of impact was between February 13 and February 18 with almost one in every 3,300,000 HTTP requests via Cloudflare potentially resulting in memory leakage, which is about 0.00003% of requests. However, the researcher argued that the DNS provider was double-dealing, claiming that the Cloudbleed vulnerability had existed for months, based on Google’s cached data.
Have you been affected?
There are a large number of Cloudflare’s services and websites that use parsing HTML pages and modify them through the Cloudflare’s edge servers. Even if you do not use CloudFlare directly, that does not mean that you are spared. There is always a chance that websites you visit and web services you use may have been affected, leaking your data as well.
You can check unofficial list of sites possibly affected by HTTPS Traffic Leak. This list contains all domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data). It’s a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.
By using website http://cloudflarelistcheck.abal.moe/ you can simple search unofficial list mentioned above.
Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns.
What to do now?
Online users are strongly recommended to reset their passwords for all accounts in case you have reused the same passwords on every site, as well as monitor account activity closely as cleanup is underway. Moreover, customers who are using Cloudflare for their websites are advised to force a password change for all of their users.