The Cloudbleed Problem

Recently (as of Feb. 24th), internet giant Cloudflare has experienced a bug that leaks users passwords, cookies, tokens, API keys and other rather sensitive information. So what happened?

Who are Cloudflare?

Cloudflare are a Content Delivery Network, internet security company and a distributed domain name server. It sits between the end user (you) and your favourite websites and services (e.g. Fitbit, Discord, Reddit) and protects them from DDoS attacks and other malicious attacks.

What happened?

As I said before, a bug was found in a couple of areas of Cloudflare’s code that allowed passwords, API keys and other sensitive information to be leaked. It was compared to the famous 2014 Heartbleed bug in the OpenSSL software library.

Who found it?

Luckily for us, the bug was found by someone on Google’s ‘Project Zero’. Tavis Ormandy discovered the bug after seeing multiple corrupted pages being returend by some of his HTTP requests that ran through Cloudflare’s system. Like a responsible and good person, he disclosed this immediately to Cloudflare, who went on to disable the affected services within 47 minutes of the issues being brought to light.

What was leaked?

Various things were leaked. We are not fully sure of what exactly has been leaked, but the following is a somewhat useful guide:

  • Passwords
  • API Keys
  • Cookies
  • Auth Tokens
  • Usernames
  • Private Messages

Has it been fixed?

Yes. Cloudflare was amazingly quick at fixing this. It took them 7 hours to complete it globally. Good job guys.

So what went wrong?

In one phrase. HTML Parsing. In a bit more complex, basically the HTML Parser was being updated. A bug meant that the server would have a buffer overflow and would read out unused/unallocated memory and dump it into the html file. This would result in (on occasion) sensitive information being dumped. Only 1 in 3,300,000 requests would actually cause this to happen, so it was a tiny number, but still a number.

Cloudflare have a nice rundown here.

Who was affected?

There is a GitHub Repo with the full list (its a 70mb txt file in a 22mb ZIP archive). There is also an excellent website called Does It Use Cloudflare? It does what it says on the tin.

Final Thoughts?

It worries me that this happened, however at least it was solved quickly. What annoys me more that Cloudflare fixed this, and when I presented a similar (but not as serious) issue to my school, they tried to throw me out.

#cloudbleed on Twitter is interesting too.

Anyway, see you soon. Also, check out Citation Needed Fan Edition.

Leave a Reply

Your email address will not be published. Required fields are marked *