CloudBleed: Another Internet Security Disaster

Popular Internet infrastructure service, Cloudflare, which provides security implementation for websites has been exposed to a very critical security vulnerability also known as CloudBleed, which affects around 5 million websites.

Yesterday, A security researcher Tavis Ormandy of Google’s Project Zero uncovered a major vulnerability in Cloudflare which is another internet disaster.

While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google and is being removed. 

Other data might exist in other caches and services throughout the Internet, and obviously, it is impossible to coordinate deletion across all of these locations. There is always the potential that someone malicious discovered this vulnerability independently and before Tavis, and may have been actively exploiting it, but there is no evidence to support this theory. So it's unclear that hackers have been exploiting the bug earlier.

There are millions of sites using Cloudflare service that includes Uber, OkCupid, 1password, FitBit, etc.

In an advisory, Ormandy wrote-

“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,”
“We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” - he added.

How CloudBleed arises?

Cloudbleed is especially interesting because a single character in Cloudflare’s code leads to vulnerability. A simple coding error caused this bug like HeartBleed.  In the blog post, Cloudflare detailed the bug. The issue stems from the company’s decision to use a new HTML parser called cf-HTML. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.

Cloudflare ran into trouble when formatting the source code of cf-HTML and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. (The error involved a “==” in the code where there should have been a “>=”.) This means that when the software was writing data to a buffer, a limited amount of space for temporary data, would fill up the buffer and then keep writing code somewhere else.

How to check for CloudBleed?

There is no such evidence that how many users or CloudFlare clients were affected. But Cloudflare claims that a very small number of requests lead to leaked data. 

As the Vulnerability was six months old, there may be a chance that hackers were silently exploring the bug and gathering users' sensitive data including passwords, private keys, personal information, etc. So we recommend everyone change your all online accounts password immediately.