Category: Code

The Cloudbleed Problem

Recently (as of Feb. 24th), internet giant Cloudflare has experienced a bug that leaks users passwords, cookies, tokens, API keys and other rather sensitive information. So what happened?

Who are Cloudflare?

Cloudflare are a Content Delivery Network, internet security company and a distributed domain name server. It sits between the end user (you) and your favourite websites and services (e.g. Fitbit, Discord, Reddit) and protects them from DDoS attacks and other malicious attacks.

What happened?

As I said before, a bug was found in a couple of areas of Cloudflare’s code that allowed passwords, API keys and other sensitive information to be leaked. It was compared to the famous 2014 Heartbleed bug in the OpenSSL software library.

Who found it?

Luckily for us, the bug was found by someone on Google’s ‘Project Zero’. Tavis Ormandy discovered the bug after seeing multiple corrupted pages being returend by some of his HTTP requests that ran through Cloudflare’s system. Like a responsible and good person, he disclosed this immediately to Cloudflare, who went on to disable the affected services within 47 minutes of the issues being brought to light.

What was leaked?

Various things were leaked. We are not fully sure of what exactly has been leaked, but the following is a somewhat useful guide:

  • Passwords
  • API Keys
  • Cookies
  • Auth Tokens
  • Usernames
  • Private Messages

Has it been fixed?

Yes. Cloudflare was amazingly quick at fixing this. It took them 7 hours to complete it globally. Good job guys.

So what went wrong?

In one phrase. HTML Parsing. In a bit more complex, basically the HTML Parser was being updated. A bug meant that the server would have a buffer overflow and would read out unused/unallocated memory and dump it into the html file. This would result in (on occasion) sensitive information being dumped. Only 1 in 3,300,000 requests would actually cause this to happen, so it was a tiny number, but still a number.

Cloudflare have a nice rundown here.

Who was affected?

There is a GitHub Repo with the full list (its a 70mb txt file in a 22mb ZIP archive). There is also an excellent website called Does It Use Cloudflare? It does what it says on the tin.

Final Thoughts?

It worries me that this happened, however at least it was solved quickly. What annoys me more that Cloudflare fixed this, and when I presented a similar (but not as serious) issue to my school, they tried to throw me out.

#cloudbleed on Twitter is interesting too.

Anyway, see you soon. Also, check out Citation Needed Fan Edition.

The 2016 Programmer Survey!

I had the idea for this as I watched the analysis of the Nerdfightaria Survey. The basic concept is programmer answer the questions and we get an idea as to who here programs. Results will be published in January 2017 with an analysis and a raw spreadsheet.

ALL DATA IS COMPLETELY ANONYMOUS AND WILL BE AVAILABLE FOR DOWNLOAD IN JANUARY 2017.

Anyway, if you wish to answer the survey, click here: https://goo.gl/forms/HCfCtRe1kprUEhEI2

Thanks and have fun!

 

Random Game Idea Thing…

Thank Twitch Chat… Forgot the blokes name… Sorry!

 “Make a game about people made out of cheese that have to escape from huge mice that want to eat you @ZachIsCheese”

-Some Random Bloke

Some Thoughts on App Creation

I am currently working on an app. Woah! I know right? Edgy af or whatever the cool kids say (I don’t care, I’m in it because).

However, when working on it, I thought of a video by Tom Scott and Matt Grey on their app, Emojli. It’s a lot of work! So here is the video, sit back, grab a cup of tea or a beer if that’s more your thing and enjoy!