Cloudflare bug exposed sensitive Fitbit, Uber, OkCupid data
A major bug in software used by content delivery network Cloudflare has exposed sensitive, encrypted data – including passwords – from its' customers' websites, the company says. There are no signs that hackers have exploited the bug.
Beginning as early as September 22, hundreds of thousands webpages among websites hosted by Cloudflare, Inc. have leaked sensitive data, including passwords, cookies and software keys, the company said Thursday in a blog post. The period most affected period was between February 13 and the bug's discovery on February 18.
Of the six million sites that Cloudflare hosts, 3,400 were leaking data, according to reports. The content delivery and internet security company hosts websites of popular services like Uber, Fitbit and OkCupid, all three of which were affected.
Nicknamed "Cloudbleed," the leak came from a bug in Cloudflare software that sent random batches of data to users' browsers upon visiting a Cloudflare-hosted webpage, according to Tavis Ormandy, a Google security researcher who first discovered the issue.
Could someone from cloudflare security urgently contact me.
— Tavis Ormandy (@taviso) February 18, 2017
In addition to information like passwords and cookies, Ormandy found "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," he wrote on Google's Project Zero bug tracker page.
"We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything," Ormandy added. Among the companies whose data leaked were Uber and 1Password, a cloud password company, he said. Uber declined to comment on the matter, while 1Password said no personal data was leaked, according to Reuters.
"Cloudflare’s WAF, DDoS protection, and SSL defend website owners and their visitors from all types of online threats."
— Willy Clicks (@willyclicks) February 24, 2017
LOL!@Cloudflare
Though 3,400 sites were involved in leaking information, data from all of Cloudflare customers were subject to the leak, Ormandy told CNET.
“[O]ur edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data," said John Graham-Cumming, Cloudflare's chief technology officer. “And some of that data had been cached by search engines.”
Once discovered, the bug was fixed in under seven hours by Cloudflare teams in San Francisco and London, Graham-Cumming wrote. Much of the leaked data has been removed from search engine caches in an ongoing effort, he said.
"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Graham-Cumming added. "We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."
Consequence of @taviso's Cloudbleed discovery: essentially any traffic which passed through Cloudflare (even https) recently might be public
— Ryan Lackey (@octal) February 24, 2017
Cloudflare has not found evidence that the bug has been exploited by hackers. The company does not "know of anybody who has had a security problem as a result of this," Graham-Cunning said, according to Reuters.
Cloudflare has refrained from immediately going public with the information because "we felt we had a duty of care to ensure that search engine caches were scrubbed for a public announcement,” he added.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
"The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged," he wrote. "With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines."
An incident like the bug discovery "is subject to a 90 day disclosure. We were disclosing after six days,” Graham-Cunning told TechCrunch.
Ormandy, however, said Cloudflare's blog post about the bug "severely down plays the risk to customers" and that the company's efforts to publicly flag the issue were not fast enough.
We've been informed by @Cloudflare that Blockchain was not one of the companies affected by #CloudBleed
— Blockchain (@blockchain) February 24, 2017