Significant Leakage of Confidential Data at Cloudflare and its Clients

Techno 25 February, 2017

The service used by 5.5 million websites could have accidentally exposed passwords and user authentication tokens of its customers.

Cloudflare, an important content distribution network used by millions of sites to optimize security and performance, announced this week that it has been informed of a serious flaw that may have exposed a range of sensitive information . The conditional is used here because the company has indicated that it has not witnessed a malicious use of the information that has become accidentally accessed by this vulnerability.

An error in the code did not detect when the buffer was exhausted, allowing the software to continue writing data elsewhere in the system.
This leak, unofficially dubbed Cloudbleed in reference to the devastation caused by the Heartbleed fault in 2014, is the result of a buffer overflow : a phenomenon that occurs when a software writes data outside the Storage space allocated to it temporarily by the system. An error in the code used by Cloudflare has rendered the routine designed to detect when the buffer is depleted, rendering the software – in this case, the HTML parser – continuing to write its data elsewhere in the the system.

Discovered on February 18th by Tavis Ormandy, computer security specialist of the team of Project Zero at Google, the bug in question is particularly severe for many reasons.

First, it is estimated that it was possible to consult information sometimes sensitive since September 22, 5 months before the discovery of the problem. Subsequently, certain confidential data disclosed was cached by Google and other search engines, thereby extending their accessibility period.

“We are revealing the problem today because we are convinced that search engine caches have now purged sensitive information,” said John Graham-Cumming, technical director of Clouflare. We invite you to read Graham-Cumming’s detailed explanations of the vulnerability on the company’s blog .

According to Cloudflare, the peak period of the data spill occurred between 13 and 18 February, while a 3,300,300 HTTP request may have suffered a buffer overflow. The company wants to be reassuring by saying that this proportion represents 0.00003% of the total number of requests sent to it for this period. What is more, not all instances of buffer overflow have systematically exposed confidential data.

But in the eyes of the same person who discovered the bug in question, Cloudflare’s technical director seems to be minimizing the magnitude of the problem in his article. “This is an excellent postmortem, but it seriously reduces the risk to customers,” Ormandy believes . Recall that among the clients affected by the vulnerability are 1Password, FitBit, and OKCupid.

It should be noted that in light of this discovery, 1Password publicly stated that no sensitive data of its users had been exposed by Cloudbleed , in particular because its service uses a three-layer encryption system in case of SSL and TLS protocols.