More than 1,000 Sites Compromised by Cloudflare Bug
“It took every ounce of strength not to call this issue ‘cloudbleed’,” joked Google’s Tavis Ormandy, shortly before describing a serious security with Cloudflare’s obfuscation methods that would widely be dubbed just that.
The security hole came in Cloudflare’s HTML parser, which instead of just parsing HTML also injected extra code. Sometimes, instead of just injecting code from the database it was supposed to use, it asked for too much data and grabbed it from other parts of Cloudflare servers’ memory — and sometimes that data was password, HTTP cookies, authentication tokens, HTTP POST bodies and other sensitive pieces of information.
And it got worse, as Cloudflare described in its post-mortum:
The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
The good news is that means that the chance that any given piece of data you care about leaked is slightly less than your chances of dying of food poisoning and way less likely than you’re being struck by lightning. Cloudflare said that there have been no known exploits in the wild, and Google has worked quickly to clear its cache of affected pages.
But the scope of the potential impact — almost any site that used Cloudflare’s proxy service — is incredibly broad. Someone on Github put together a list of sites that use any of Cloudflare’s services (it goes beyond just the proxy list, so many of them would not be vulnerable), and another developer has a quick check to see if a site uses Cloudflare. Cloudflare said that it spotted leaked data across 161 unique domains, but that that data has largely been removed now.
Unlike Heartbleed, this attack appears to have largely been mitigated very quickly — Cloudflare said it was completely finished globally in under 7 hours with an initial mitigation of just 47 minutes. But it’s a good reminder that there remain many unknown unknowns that leave us all very vulnerable.