Cloudbleed Causes Cloudflare Leak

On February 17, 2017, while working on a project, Tavis Ormandy from Google’s Project Zero came across the vulnerability we now know as Cloudbleed. Cloudbleed, an obvious reference to Heartbleed, is a critical Security Bug found in the OpenSSL cryptography library in 2014 that dumped SSL requests from memory in clear text when triggered. It was discovered that the Cloudbleed bug was due to bad HTML parsers that affected sites that used the CloudFlare CDN service. Essentially, if an HTML page was hosted behind Cloudflare and had a specific set of unbalanced HTML tags, scattered uninitialized memory mixed and valid data was output back to the user’s browser. Within this output were passwords, encryption keys, HTTPS requests, full POST body data, chat messages from popular online chat services, frames from adult video sites, session cookies, and other sensitive data from some of the many sites that utilize CloudFlare’s services.

The bad HTML parsers were initially introduced in September 2016 to a few sites that used CloudFlare’s services so only a relatively small amount of sites were affected. However, by February the number increased significantly when CloudFlare issued an update making the parsers much more widely used. This, in turn, caused the bug to be triggered an estimated 1.2 million times. The greatest impact was between February 13-18 when 1 in every 3.3 million requests through CloudFlare’s service possibly resulted in memory leakage. That may not seem like much, but with CloudFlare having an estimated 4-6 million websites using its services, it is. Major search engine crawlers were found to be caching the sensitive data, prompting major search engine providers like Google, Bing, Yahoo, and others to purge cached pages that held sensitive data from their search engines index. Luckily, as of today, there has been no evidence of passwords, personal info, encryption keys, credit cards, etc. have been leaked to hackers or cyber criminals and the issue has been fixed. However, you should still change your passwords just because there is no evidence doesn’t mean everyone is one hundred percent in the clear. Also, Cloudflare’s CDN customers who do share infrastructure, making it almost impossible to get an accurate read on every website that was affected. As of February 23, Cloudflare reported the issue has been fixed, but we’re going to keep our eyes and ears open and report back if anything new develops.

About the Author

Joseph Hitchcock - Technical Security Evangelist

Joseph Hitchcock

Joe Hitchcock is passionate when it comes to system and network security. Initially self-taught, he started working as an independent contractor for small businesses doing malware removal and perimeter security. He started at Alert Logic in 2011 as a Network Security Analyst analyzing threat traffic and other attacks. Afterwards, he worked in Security Research and eventually became one of the first Analysts to work on the Web Security team supporting Web Security Manager WAF. He was eventually promoted to a Senior Web Security Analyst where his job included building custom security policies, researching new web attacks and adding custom signatures to better WSM detection.

Email Me | More Posts by Joseph Hitchcock