Cloudflare bug leaks personal info from 120,000 sites

Hackers are not exploiting 'Cloudbleed' flaw, says CTO

Cloudflare has been leaking personal information, passwords and software keys from over 120,000 sites and services onto the internet, the company has revealed.

The leak was due to a bug in the systems of the company, which offers anti-DDoS and CDN services for around six million websites, and affected companies such as Uber, OKCupid, Fitbit and more.

Discovered by Google security researcher Tavis Ormandy, the bug - which has already been dubbed 'Cloudbleed' after the Heartbleed openSSL vulnerability discovered in 2014 - is apparently a buffer overflow issue and has been blamed on malformed HTML code.

"In some unusual circumstances," Cloudflare CTO John Graham-Cumming wrote in a blog post detailing the issue, "our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In layman's terms, this meant that users visiting Cloudflare-hosted sites could wind up with data from other sites embedded in their browser. So, someone visiting the Fitbit site could end up accidentally gathering data from another person's OKCupid activity.

The leak was most active from 13 February to 18 February, Graham-Cumming said, affecting around 120,000 sites per day. It may also have been active since 22 September 2016.

Graham-Cumming has said that the issue is now fixed and cached data largely removed from search engines such as Google, adding that he does not believe that the leaked information has been exploited by hackers.

Ormandy kept a running log of the incident, from initial discovery all the way to resolution and public disclosure, including examples of some of the data that was being exposed by the issue.

"We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users," he wrote. "We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use Cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!)."

"The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed Cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

Advertisement - Article continues below

While Cloudflare says it's confident that the information is not being exploited, some security experts are warning that accounts hosted on any site that uses Cloudflare could be compromised, and that users may want to change their account details and passwords.

Image credit: Tavis Ormandy

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/hardware/354232/raspberry-pi-4-owners-complain-of-broken-wi-fi-when-using-hdmi
Hardware

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019