Cloudbleed: Cloudflare leaks sensitive data, many major websites affected

Security researchers from Google’s Project Zero have uncovered a critical bug in Cloudflare which allowed sensitive data — like passwords, cookies and encryption keys — from many hosted websites to leak online.

Patreon, Y Combinator, Medium, 4chan, Yelp, OKCupid, Zendesk, Uber and 23and Me are among the most-important affected websites. This security issue is so important that it is now being referred to as cloudbleed.

The bug, which was discovered on February 17 according to Project Zero’s Tavis Ormandy and is now fixed, has caused the most damage between February 13 and February 18, according to Cloudflare, when about one in every 3,300,000 HTTP requests caused data to leak.

Session tokens, passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn’t use those features. So the potential impact is every single one of the sites using Cloudflare’s proxy services (including HTTP & HTTPS proxy).

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day”

Ormandy says that the Project Zero team who analyzed the issue “observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users” in the samples of collected data. Cloudflare was notified on February 18 by Ormandy, via Twitter.

Cloudflare has provided a through incident report on its blog, which explains in depth what caused the bug and how it was fixed, so if you want to learn more about it you can check out this official post.

Cloudflare has a significant number of customers, so the list of affected websites (and apps) is quite substantial. A GitHub project has been set up to identify affected websites, based on data provided by Cloudflare and other resources, and you can check out the list here.

It should be noted that not all websites that use Cloudflare are affected by cloudbleed. The aforementioned GitHub project mentions that, for instance, Slack Overflow, is safe, and so are 1Password and FastMail. In case you are wondering, Tier3 is not a Cloudflare customer, and, as such, is not affected by cloudbleed.

If you are a cloudfare customer and are affected by this vulnerability, Tier3 Cyber security can help you to patch up your systems.