Cloudflare 'Cloudbleed' Flaw Leaks User Data from Millions of Websites

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Google security researcher Tavis Ormandy recently uncovered a Cloudflare bug, now (inevitably) dubbed "Cloudbleed," which was leaking millions of people's personal information online, including private messages, password manager data and hotel bookings.

"It turned out that in some unusual circumstances... our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data," Cloudflare programmer John Graham-Cumming acknowledged in a blog post detailing the issue. "And some of that data had been cached by search engines."

The greatest impact of the flaw, Graham-Cumming wrote, took place between February 13 and February 18, when about one in every 3,300,000 HTTP requests through Cloudflare potentially resulted in data leakage.

On February 19, Ormandy stated, "The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean up. I've informed Cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings."

"We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything," Ormandy added.

As Ormandy communicated with Cloudflare, the company pointed out that they do have a bug bounty program -- but he noticed its top-tier reward is a t-shirt. "Needless to say, this did not convey to me that they take the program seriously," he wrote.

In response to the discovery of the flaw, Cloudfare's Graham-Cumming wrote, "The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months."

Prevoty CTO and co-founder Kunal Anand told eSecurity Planet by email that while leading companies like Google are now actively purging their search caches to remove the exposed data, other companies aren't being as transparent about how they'll deal with the issue.

"A lot of popular Internet companies/operators have been affected -- and unfortunately they'll have to be the ones working directly with customers and giving them the bad news," Anand said. "All affected sites/services need to destroy all HTTP sessions and potentially do API key as well as password resets across the board."

"There's been a very big move to the cloud and centralized security infrastructure -- I think this will give security teams at the Fortune 500 companies some pause and headaches as they plan their security roadmap," Anand added.

In response to the breach, AsTech chief security strategist Nathan Wenzler suggested all users should immediately change their passwords at every website they use. "With over 5.5 million domains reported to be hosted on Cloudflare, odds are very good that you use or have used one of these sites," he said.

"And if you are, like many people, using the same password over and over on multiple sites, if your account is compromised on one site because of Cloudbleed, it is compromised on all the other sites you use that password, too," Wenzler added.

Recent research has found that 26 percent of IT professionals admit sharing passwords, and 62 percent of companies now store sensitive customer data in the public cloud.