A huge new memory leak from the web services company Cloudflare may have left data from thousands of domains exposed thanks to a recently discovered bug.
Advertisement
Also, Cloudflare is now reviewing older software to look for potential other security problems.
Cloudflare is a popular content delivery network that effectively acts as a sort of digital shield, a proxy that offers millions of websites DoS protection and other services.
“The typo that caused this issue was that someone used ” =” instead of “==”.
Graham-Cumming said the company’s infosecurity team, working alongside the search engine companies, had caught 770 unique URIs that had been cached, that contained leaked memory. The three services were shutdown by Cloudflare after getting the Google report and have now been fixed and re-enabled.
The data may have been leaking since September 22 a year ago, but the greatest period of impact, Cloudflare says, was from February 13 to February 18 – last week, basically.
The bug was first noticed February 17 by Tavis Ormandy of Google’s Project Zero security initiative, but information may have been seeping onto the web since September 2016. However, users of the websites might not know that their passwords and data were exposed because it’s not always clear that those websites use Cloudflare.
Cybersecurity expert Prof Alan Woodward said the bug had been caused by “a few lines of errant code”. Cloudflare has provided a detailed timeline of the issue, showing just how fast the company was able to respond to the issue and move to protect customers.
He told the BBC there was no evidence yet that the data had been used maliciously.
A bug in the service’s system, which has since been nicknamed “Cloudbleed” in reference to the 2014 Heartbleed bug, is reported to have leaked sensitive user information from websites such as OK Cupid, Uber, and Fitbit. This was done to illustrate the bug’s impact. “We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything”.
“When processing HTTP requests for customers’ websites, our edge machines talk to each other within a rack, within a datacentre and between datacentres for logging, caching and to retrieve web pages from origin web servers”, he said. As soon as he and his colleagues realized what the odd data they were seeing was, and where it was coming from, they alerted Cloudflare. It doesn’t sound like much, but Cloudflare’s massive customer base includes categories like dating websites and password managers, which host particularly sensitive data.
The security glitch was brought to the attention of Cloudflare by Google researcher Tavis Ormandy.
Advertisement
He explained the company then went on to clean-up the information from search engines like Google.
