Industry stub

Cloudbleed Vulnerability Warrants Password Changes

Posted on February 25, 2017

Cloudflare has disclosed a bug within their code that has resulted in a massive memory leak, dumping user data into the wild. For those unaware, Cloudflare is an internet proxy and web performance service aimed at protecting websites and associated user data from malicious activity—making a security disaster like this acutely ironic.

Initially discovered and reported by Google’s Project Zero, Cloudflare identified the problem and deployed a global patch to their servers in under 7 hours. The problem—which is detailed meticulously in a Cloudflare blog post—has been dubbed “Cloudbleed” (a title akin to the Heartbleed bug), and it goes something like this: Cloudflare’s edge servers use a reverse proxy in conjunction with an HTML parser to mirror sites, set up redundancies, and offer security features like e-mail address obfuscation and HTTPS rewrites. As such, Cloudflare acts as an intermediary between a client and server when visiting a Cloudflare powered site—meaning users’ web traffic flows through their infrastructure. Under normal circumstances, Cloudflare works unseen; the average user would not be privy to its existence. Companies like Discord and BitPay use Clouldflare for prevention of DDoS attacks.

The root of the Cloudbleed problem was in the attempted overhaul of the HTML parser; a coding error led to a ‘buffer overrun’ where data was stored on uninitialized memory (a form of memory corruption), and then under certain circumstances, that data was leaked into other website traffic going through Cloudflare’s servers. In short, potentially sensitive user data was being injected into the source code of webpages/sites being requested by other clients. Further complicating the matter, that data was subsequently cached and indexed by search engines such as Bing and Google.

Cloudflare has stated the earliest leaks date back to September 2016, with the biggest impact falling between February 13th and February 18th. Cloudflare stated there were about 150 customers where they could identify data leakage through the servers and onto search engines, although they have not provided a list of those domains—and likely won’t, for privacy and legal reasons. For an exhaustive list of domains (in the millions) that use Cloudflare, check here. Among the most notable sites—and certainly pertinent to the GamersNexus crowd—is Discord, who’ve made public their services were affected, and urged users to change their passwords. Other notable sites include:

  • authy .com
  • patreon .com
  • bitpay .com
  • yelp .com
  • uber .com
  • okcupid .com
  • change .org

BitPay has since issued a response, stating that they believe their user data to be unaffected and offer some recommended security maneuvers.

While Cloudflare has announced the issue both resolved and unexploited, such an occasion marks an opportunity to rotate passwords and enable two-step authentication on any and all websites. The analogous titles of ‘Heartbleed’ and ‘Cloudbleed’ and their anatomical play on words can be seen as an implicit notice of how a simple vulnerability could bring a seemingly healthy Internet to a halt.

- Eric Hamilton