Cloudbleed Is Just The Latest Internet Security Disaster

Uploaded on 2017-04-11 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A tiny bug in Cloudflare’s code has led to an unknown quantity of data, including passwords, personal information, messages, cookies, and more, to leak all over the Internet. 

Let’s start with the good news. Cloudflare, one of the world’s largest Internet security companies, acted fast when security researcher Tavis Ormandy of Google’s Project Zero identified the vulnerability.

The bad news is that the Cloudflare-backed websites had been leaking data for months before Ormandy noticed the bug. 

Cloudflare says the earliest data leak dates back to September 2016. It’s so far unclear if blackhat hackers had already found the vulnerability and exploited it secretly before Cloudflare fixed its code. Cloudflare’s clients include huge companies like Uber, OKCupid, 1Password (Update: 1Password claims its user data is safe), and FitBit. That means a holy ton of sensitive data has potentially been compromised.

As with any major security vulnerability, it will take some time before we can fully comprehend the level of destruction caused by Cloudbleed. 

For now, you should change your passwords, all of them, and implement two-factor authentication everywhere you can. 

What is Cloudflare?

You might not be familiar with Cloudflare itself, but the company’s technology is running on a lot of your favorite websites. Cloudflare describes itself as a “web performance and security company.” 

Originally an app for tracking down the source of spam, the company now offers a whole menu of products to websites, including performance-based services like content delivery services; reliability-focused offerings like domain name server (DNS) services; and security services like protection against direct denial of service (DDoS) attacks.

The fact that Cloudflare is a security company makes the dustup around this new vulnerability supremely ironic. After all, countless companies pay Cloudflare to help keep their user data safe. The Cloudbleed blunder did the opposite of that.

“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Tavis Ormandy wrote in an advisory. “We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” Ormandy also said that the Cloudbleed vulnerability leaked data across 3,438 unique domains during a five-day period in February.

How does Cloudbleed work?

Cloudbleed is especially interesting because a single character in Cloudflare’s code lead to the vulnerability. It appears to be a simple coding error. Based on what’s been reported, it appears that Cloudbleed works a bit like Heartbleed in how it leaks information during certain processes. The scale of Cloudbleed also looks like it could impacts as many users as Heartbleed, as it affects a common security service used by many websites.

According to a Cloudflare blog post, the issue stems from the company’s decision to use a new HTML parser called cf-html. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.

Cloudflare ran into trouble when formatting the source code of cf-html and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. 

This means that when the software was writing data to a buffer, a limited amount of space for temporary data, it would fill up the buffer and then keep writing code somewhere else. 

In plain English, Cloudflare’s software tried to save user data in the right place. That place got full. So Cloudflare’s software ended up storing that data elsewhere, like on a completely different website. 

Again, the data included everything from API keys to private messages. The data was also cached by Google and other sites, which means that Cloudflare now has to hunt it all down before hackers find it.

Have you been pwned?

It’s unclear who exactly has been pwned. Cloudlfare claims that only a very small number of requests led to leaked data, but since the vulnerability has been almost six months, who knows how much information is out in the wild. 

Furthermore, the fact that so much of that data was cached across different sites means that, while Cloudflare’s initial patch stopped the leaking, the company needs to do lots of hunting around the web to ensure that all of the leaked data gets scrubbed. And even worse, even sites that don’t use Cloudflare’s service, but have a lot of Cloudflare users, might have compromised data on their servers.

Changing your passwords sucks, but you should be doing it on a semi-regular basis anyways. As we’ve argued in the past, you might as well enable two-factor authentication on everything, too, since it’s your best first defense against hackers. 

That said, nothing is ever truly secure on the Internet, and Cloudbleed might compromise some accounts using. two-factor authentication.

Gizmodo:

Bigger than Heartbleed - 'Venom' Threatens Datacenters:

Stagefright: New Android Vulnerability Dubbed 'heartbleed for mobile:

 

« Google Lawsuit Could Be Fatal For Uber
ISPs Can Tell Users About Infected Computers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Mimecast

Mimecast

Mimecast delivers cloud-based email management for Microsoft Exchange and Microsoft Office 365 including archiving, continuity and security.

Arthur J Gallagher & Co

Arthur J Gallagher & Co

Arthur J. Gallagher & Co. is a global insurance brokerage and risk management services firm. Services include Cyber Liability insurance.

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Sqreen

Sqreen

Sqreen is a web application security monitoring and protection solution helping companies protect their apps and users from attacks.

Sponge

Sponge

Cybersecurity Sorted by Sponge is a seriously engaging training game to make your staff the first line of defence against cyber threats.

Consensys

Consensys

ConsenSys is a global blockchain company. We develop enterprise applications, invest in startups, build developer tools, and offer blockchain education.

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum is a catalyst platform designed to create a more resilient and better cyberworld for all.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

Evolution Equity Partners

Evolution Equity Partners

Evolution Equity Partners is an international venture capital investor partnering with exceptional entrepreneurs to develop market leading cyber-security and enterprise software companies.

Pentesec

Pentesec

Pentesec is a security specialist offering professional services, managed security services and expertise within an extensive range of security technologies.

Citadel Cyber Security

Citadel Cyber Security

Citadel is a leading 'One Stop Shop' provider of consulting services in cyber and information security. Our experts operate in hundreds of business organizations in Israel and around the world.

Ankura Consulting Group

Ankura Consulting Group

Ankura is a global expert services and advisory firm that delivers services and end-to-end solutions in a wide range of areas including cybersecurity and digital transformation.

Condition Zebra

Condition Zebra

Condition Zebra has wide experience in providing IT Security Services, Training, and Certification in the field of cybersecurity.

InterSec Inc.

InterSec Inc.

InterSec Inc. is a cybersecurity company that offers a variety of services to small and medium-sized businesses including CMMC Compliance, Program Management, Governance, & Cybersecurity.

Crypto Legal

Crypto Legal

Crypto Legal is a leading UK-based law firm specialising in blockchain forensics and legal services.

Oxford Information Labs (OXIL)

Oxford Information Labs (OXIL)

Oxford Information Labs brings together world-class software programmers and policy experts to provide a unique mix of expertise and hands on technical solutions.