Time to change your passwords again. A new security bug nicknamed 'Cloudbleed' may have compromised the security of user data at sites using the Cloudflare security service. At risk are logins and passwords for millions of Web sites.
The bug was discovered last Friday by Google security researcher Tavis Ormandy, part of the company’s Project Zero initiative. The vulnerability affected the Web security and services company Cloudflare, which has been leaking customer HTTPS sessions for popular Web sites and services, such as Uber, FitBit, and OkCupid, for the past several months. The data that was leaked also includes sensitive personal data.
Chat Services and Adult Videos
"The examples we're finding are so bad,” Ormandy wrote in a post on the Project Zero site. “I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
According to Cloudflare, Ormandy alerted the company to the problem February 17, at which point Cloudflare said it deactivated three minor service features that were using the HTML parser chain that was the cause of the leaked data. It's now no longer possible for memory to be returned in an HTTP response, the company said.
“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests),” the company wrote in a blog post regarding the vulnerability.
But according to Ormandy, Cloudflare’s announcement severely downplays the risk that Cloudbleed presents to its customers. “We keep finding more sensitive data that we need to cleanup,” Ormandy said. “I didn't realize how much of the Internet was sitting behind a Cloudflare CDN [content delivery network] until this incident.”
Problems at the Edge
The problem stems from a security issue with the company’s edge servers that caused corrupted Web pages to be returned by some HTTP requests run through its service, according to Cloudflare.
Cloudflare said that under unusual circumstances, its edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.
The company said that it has not yet discovered any evidence of malicious exploits designed to take advantage of the bug. However, that may not matter, as search engines, including Google, have already cached many of the pages affected, even those with sensitive data.
“We've been trying to help clean up cached pages inadvertently crawled at Google,” Ormandy said. “This is just a bandaid, but we're doing what we can. Cloudflare customers are going to need to decide if they need to rotate secrets and notify their users based on the facts we know.”
But other crawlers have likely already collected the data, and may not yet realize the significance of the information they have stored on their servers.