Cloudbleed

Last updated

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. [1] As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. [2] [3] Some of the leaked data was cached by search engines. [3] [4] [5] [6] [7] [8]

Contents

Discovery

The discovery was reported by Google's Project Zero team. [1] Tavis Ormandy [9] posted the issue on his team's issue tracker and said that he informed Cloudflare of the problem on February 17. In his own proof-of-concept attack he got a Cloudflare server to return "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything." [1]

Similarities to Heartbleed

In its effects, Cloudbleed is comparable to the 2014 Heartbleed bug, in that it allowed unauthorized third parties to access data in the memory of programs running on web servers, including data which had been shielded while in transit by TLS. [10] [11] Cloudbleed also likely impacted as many users as Heartbleed since it affected a content delivery network serving nearly two million websites. [4] [11]

Tavis Ormandy, first to discover the vulnerability, immediately drew a comparison to Heartbleed, saying "it took every ounce of strength not to call this issue 'cloudbleed'" in his report. [1]

Reactions

Cloudflare

On Thursday, February 23, 2017, Cloudflare wrote a post noting that: [12]

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

Cloudflare acknowledged that the memory could have leaked as early as September 22, 2016. The company also stated that one of its own private keys, used for machine-to-machine encryption, has leaked.

It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used. Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself. [3]

John Graham-Cumming, Cloudflare CTO, noted that Cloudflare clients, such as Uber and OkCupid, weren't directly informed of the leaks due to the security risks involved in the situation. “There was no backdoor communication outside of Cloudflare — only with Google and other search engines,” he said. [6]

Graham-Cumming also said that "Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it." He added that his team has already begun testing their software for other possible issues. [7]

Google Project Zero team

Tavis Ormandy initially stated that he was "really impressed with Cloudflare's quick response, and how dedicated they are to cleaning up from this unfortunate issue." [1] However, when Ormandy pressed Cloudflare for additional information, "They gave several excuses that didn't make sense," [13] before sending a draft that "severely downplays the risk to customers." [14]

Uber

Uber stated that the impact on its service was very limited. [10] An Uber spokesperson added "only a handful of session tokens were involved and have since been changed. Passwords were not exposed." [15]

OKCupid

OKCupid CEO Elie Seidman said: "CloudFlare alerted us last night of their bug and we've been looking into its impact on OkCupid members. Our initial investigation has revealed minimal, if any, exposure. If we determine that any of our users has been impacted we will promptly notify them and take action to protect them." [10] [15]

Fitbit

Fitbit stated that they had investigated the incident and only found that a "handful of people were affected". They recommended that concerned customers should change their passwords and clear session tokens by revoking and re-adding the app to their account. [16]

1Password

In a blog post, Jeffery Goldberg stated that no data from 1Password would be at risk due to Cloudbleed, citing the service's use of Secure Remote Password protocol (SRP), in which the client and server prove their identity without sharing any secrets over the network. 1Password data is additionally encrypted using keys derived from the user's master password and a secret account code, which Goldberg claims would protect the credentials even if 1Password's own servers were breached. 1Password did not suggest users change their master password in response to a potential breach involving the bug. [17]

Remediation

Many major news outlets advised users of sites hosted by Cloudflare to change their passwords, as even accounts protected by multi-factor authentication could be at risk. [18] [19] [20] [7] [21] Passwords of mobile apps too could have been impacted. [22] Researchers at Arbor Networks, in an alert, suggested that "For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day...Pretty much all of them." [23]

Inc. Magazine cybersecurity columnist, Joseph Steinberg, however, advised people not to change their passwords, stating that "the current risk is much smaller than the price to be paid in increased 'cybersecurity fatigue' leading to much bigger problems in the future." [24]

Related Research Articles

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes. Patches are often written to improve the functionality, usability, or performance of a program. The majority of patches are provided by software vendors for operating system and application updates.

<span class="mw-page-title-main">SQL injection</span> Computer hacking technique

In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

BGP hijacking is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

<span class="mw-page-title-main">Cloudflare</span> American technology company

Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California. According to The Hill, Cloudflare is used by more than 20 percent of the Internet for its web security services as of 2022.

<span class="mw-page-title-main">1Password</span> Password management software

1Password is a password manager developed by the Canadian software company AgileBits Inc. It supports multiple platforms such as iOS, Android, Windows, Linux, and macOS. It provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault that is locked with a PBKDF2-guarded master password. By default, the user’s encrypted vault is hosted on AgileBits’ servers for a monthly fee.

Tresorit offers functions for the secure administration, storage, synchronization, and transfer of data using end-to-end encryption. More than 13,000 companies use Tresorit to protect confidential data and share information securely. It is also used widely by Government organizations and NGOs as well as privacy-conscious individuals to protect sensitive data from unauthorized access and data-breaches. As of today, the encryption of Tresorit has never been hacked.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

Keeper Security, Inc. (Keeper) is a provider of zero-knowledge security and encryption software covering password management, secrets management, connection management, privileged access management, dark web monitoring, digital file storage, and encrypted messaging, among other offerings.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

Tavis Ormandy is an English computer security white hat hacker. He is currently employed by Google and was formerly part of Google's Project Zero team.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

Criticism of Dropbox, an American company specializing in cloud storage and file synchronization and their flagship service of the same name, centers around various forms of security and privacy controversies. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords; a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data; concerns about Dropbox employee access to users' information; July 2012 email spam with reoccurrence in February 2013; leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program; a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption; the leak of 68 million account passwords on the Internet in August 2016; and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

<span class="mw-page-title-main">Okta, Inc.</span> American information technology company

Okta, Inc. is an American identity and access management company based in San Francisco. It provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices. It was founded in 2009 and had its initial public offering in 2017, being valued at over $6 billion.

<span class="mw-page-title-main">Junade Ali</span> British computer scientist and cybersecurity researcher

Junade Ali is a British computer scientist known for research in cybersecurity.

References

  1. 1 2 3 4 5 "Issue 1139: cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory". February 19, 2017. Retrieved February 24, 2017.
  2. "About Cloudflare". Cloudflare. Archived from the original on March 4, 2017. Retrieved June 16, 2021. Every week, the average Internet user touches us more than 500 times.
  3. 1 2 3 "Incident report on memory leak caused by Cloudflare parser bug". Cloudflare. February 23, 2017. Archived from the original on February 23, 2017. Retrieved February 24, 2017. 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage.
  4. 1 2 Thomson, Iain (February 24, 2017). "Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug". The Register . Retrieved February 24, 2017.
  5. Burgess, Matt. "Cloudflare has been leaking private Uber, Fitbit and Ok Cupid details for months". WIRED UK. Retrieved February 24, 2017.
  6. 1 2 Conger, Kate (February 24, 2017). "Major Cloudflare bug leaked sensitive data from customers' websites". TechCrunch. Retrieved February 24, 2017.
  7. 1 2 3 "CloudFlare Leaked Sensitive Data Across the Internet For Months". Fortune. Retrieved February 24, 2017.
  8. Wagstaff, Jeremy (February 24, 2017). "Bug causes personal data leak, but no sign of hackers exploiting: Cloudflare". Reuters.
  9. Marc Rogers interviewed on the TV show Triangulation on the TWiT.tv network
  10. 1 2 3 Fox-Brewster, Thomas. "Google Just Discovered A Massive Web Leak... And You Might Want To Change All Your Passwords". Forbes. Retrieved February 24, 2017.
  11. 1 2 Estes, Adam Clark. "Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster". Gizmodo. Retrieved February 24, 2017.
  12. "CloudBleed memory leak bug explained-why it all happened | PcSite". PcSite. February 25, 2017. Retrieved March 3, 2017.
  13. "1139 - project-zero - Project Zero - Monorail".
  14. "1139 - project-zero - Project Zero - Monorail".
  15. 1 2 Larson, Selena (February 24, 2017). "Why you shouldn't freak out (yet) about the 'Cloudbleed' security leak". CNNMoney. Retrieved February 24, 2017.
  16. "Help article: How is Fitbit keeping my data secure in light of the Cloudflare security issue?". help.fitbit.com. Archived from the original on July 7, 2017. Retrieved July 13, 2020.
  17. "Three layers of encryption keeps you safe when SSL/TLS fails | 1Password". 1Password Blog. February 23, 2017. Retrieved December 30, 2023.
  18. "Cloudbleed: How to deal with it". Medium. February 24, 2017. Retrieved February 24, 2017.
  19. "Cloudbleed Explained: Flaw Exposes Mountains of Private Data". Popular Mechanics. February 24, 2017. Retrieved February 24, 2017.
  20. Constantin, Lucian. "Cloudflare bug exposed passwords, other sensitive data from websites". CIO. Archived from the original on February 25, 2017. Retrieved February 24, 2017.
  21. Menegus, Bryan. "Change Your Passwords. Now". Gizmodo. Retrieved February 24, 2017.
  22. Weinstein, David (February 24, 2017). "Cloudflare 'Cloudbleed' bug impact on mobile apps: Data sample of..." NowSecure. Retrieved February 24, 2017.
  23. "Dark Reading - Cloudflare Leaked Web Customer Data For Months". www.darkreading.com. Retrieved February 25, 2017.
  24. Joseph Steinberg (February 24, 2017). "Why You Can Ignore Calls To Change Your Passwords After Today's Massive Password Leak Announcement". Inc. Retrieved February 24, 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.