CloudFlare Bug – Leaking Users Sensitive Data Since 22th Sep 2016

CloudFlare CloudBleed Bug

Recently, Cloudflare revealed a serious bug that causes leaking of sensitive data of users like passwords, cookies, authentication tokens to spill in plaintext from its customers’ websites.

The bug is discovered by  Tavis Ormandy from Google’s Project Zero and reported it to Cloudflare. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. The leak may active from past five months i.e 22th Sept 2016.

The bug allows anyone who noticed the error to collect a variety of very personal information that is typically encrypted or obscured.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. Cloudflare said, We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

Source – Wordfence

Some of that data was automatically cached by search engines, making it particularly difficult to clean up the aftermath as Cloudflare had to approach Google, Bing, Yahoo and other search engines and ask them to manually scrub the data.

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests). Attackers could have accessed the data in real-time, or later through search engine caches.

cloudflare bug
(Source: Google Project Zero)

Cloudflare’s teams in San Francisco and London handed off shifts to one another, working around the clock to fix the bug once it was reported. They had stopped the most severe issue within seven hours. It took six days for the company to completely repair the bug and to work with search engines to scrub the data.

“This is subject to a 90 day disclosure. We were disclosing after six days,” Graham-Cumming said. “He’s saying he’s frustrated but I’m a little bemused at why he’s frustrated with six days rather than 90. We would have disclosed even earlier, but because some of this info had been cached, we thought we had a duty to clean that up before it became public. There was a danger that info would persist in search engines like Google.”

Graham-Cumming said that Cloudflare customers like Uber and OkCupid weren’t directly notified of the data leaks because of the security risks involved in the situation. “There was no backdoor communication outside of Cloudflare — only with Google and other search engines,” he said.

SignUp to TheHackerStuff Newsletter to get updated with latest security issues,bugs etc directly to your inbox.

Get Latest Stuff Through Email


Source of Article – TechCrunch

Related Stuff

Leave a Reply