A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘Cloudbleed’, was discovered by Google Project Zero vulnerability researcher Tavis Ormandy.
A buffer overflow bug has caused a small number of requests to Cloudflare proxies to leak data from unrelated requests, including potentially sensitive data such as passwords and other secrets. The issue, which has been named ‘ Cloudbleed ’, was discovered and documented by Google Project Zero vulnerability researcher Tavis Ormandy. After applying fixes and attempting to clean search engine caches Cloudflare’s John Graham-Cumming provided a detailed explanatory blog post. Despite some sensitive data being leaked Cloudflare’s Founder and CEO Matthew Prince tweeted ‘I think we largely dodged a bullet on the actual impact’.
In the explanatory blog post, and their CEO Matthew Prince’s email to customers , Cloudflare took pains to highlight that SSL private keys could not be compromised because they’re used in separate isolated instances of Nginx. The leak was caused by a combination of Nginx plugins that Cloudflare uses to handle customer’s requests. The introduction of a newer plugin caused a previously latent issue in an older plugin to become exposed for a small subset of requests that combined certain features with improperly formatted HTML.
The issue is estimated to have impacted 1 in every 3,300,000 HTTP requests through the Cloudflare proxies between 13 and 18 Feb 2017. Those odds were compared to ‘winning the lotto’ by security expert Troy Hunt in his post ‘ Pragmatic thoughts on #CloudBleed ’, though the problem here is twofold: firstly the sites doing the leaking are innocent victims of the sites causing the leak bug to be activated, and secondly there’s no way to ‘check your ticket’ on whether you’ve been a leak victim or not (which applies equally to sites using Cloudflare and their visitors).
