Cloudflare bug causes leak of personal HTTPS data of leading websites

Cloudflare is a fairly popular web service, and security company and a recent massive attack are said to have exposed user data with regards to several sites running on Cloudflare. Let’s first begin by understanding what exactly does Cloudflare does. The service acts as a Web Firewall & CDN and helps companies protect their websites and load faster. But a programming glitch seems to have created a buffer overrun which in turn leaked others private session keys and personal information into strangers browsers.

Cloudflare

Cloudflare bug leaks personal HTTPS data

The bug was uncovered by Google researchers, and all of this seems to have ben caused by using ‘>’ instead of ‘=’ in the software source code. Since CloudFlare hosts big companies like OK Cupid, Fitbit, Uber, Digital Ocean and others.

Well, this also happened to me when I tried booking a cab on my Uber the location and the personal data shown was of someone else, the app also showed the trip histories of other users. The leak has been apparently fired when web pages with a particular combination mislead CloudFlare proxy, and this made the servers give out personal details of other users even if it was shielded by HTTPS.

The bulk of data including session and API keys along with cookies and passwords were found in cached pages, and needless to say were crawled by Google. Needless to say, the session key can be used by someone to log in as you. Travis Ormandy, a Bug Hunter at Google’s Project Zero team, unearthed the flaw when he was working on a side project. After delving into the same, he found the leaked data to be so bad that he eventually decided to cancel his weekend and instead build a tool to clean up the mess.

“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything- Travis Ormandy.”

How it all happened

According to Travis, Google and CloudFlare together have formed a team and will be cleaning up all the private data on the internet. Moving on, its interesting to learn how this attack actually took place and it all started when the company decided to develop a new HTML parser for its servers. Despite being written on Regel, the code was converted into Machine generated C. The unbalanced HTML triggered an unbalanced HTML tag on the images, and the pointer checking was supposed to stop this from happening but this was broken since an equality operator had been used.

Cloudfare’s head of engineering John Graham-Cumming was quoted as follows, “The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer” he further deduced that “Had the check been done using ‘>=’ instead of ‘== jumping over the buffer end would have been caught.”

As a precautionary measure users are requested to change their passwords on all the affected sites and also ensure that you do the same on Password managers. The Github link displays a scraped list of top 10,000 sites from Alexa that have been affected by this bug and perhaps you can do a “Ctrl+F” and check out the sites you regularly use and change the credentials. Maybe you want to change your passwords of your online websites right away.

Read more about CloudBleed and find out if you visited Cloudbleed affected sites.

Posted by with Tags

Mahit Huilgol has been using Windows on Mobile since the Windows 6. Ever since than i have been following Microsoft developments from close quarters and love writing about it. Eagerly waiting for the time when Windows Phone will be the most preferred OS in the World.