Written byPatrick Howell O'Neill
The private messages you sent on OKCupid last month or the data collected by your FitBit could be floating around the internet right now. Add to that a load of passwords and private data on some of the web’s most popular sites.
Cloudflare, a massive content delivery network and security provider has been vulnerable to a memory leak due to a bug discovered earlier this month by Tavis Ormandy from Google’s Project Zero. Big businesses like Uber, 1Password, OKCupid and FitBit all use Cloudflare’s technology.
As a result of the bug, virtually any traffic that passed through Cloudflare could be public including emails, private messages, passwords and other private data.
Cloudflare confirmed the issue on Thursday. No malicious exploits of the bug in the wild or other reports of its existence have been spotted.
Cloudflare is used by a huge portion of the web: it advertises that it serves more web traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined. Figuring out exactly how many and which websites are affected is a mammoth task.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
The bug, a result of a coding error, made servers for Cloudflare run past the end of a buffer and returned private information like HTTP cookies, authentication tokens and an array of other sensitive data.
It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I’ll explain later). My working theory was that this was related to their “ScrapeShield” feature which parses and obfuscates html – but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.
In layman’s terms: the coding error caused Cloudflare to run out of space to securely store information, so its servers ended up storing that information on the free and open internet.
Since Ormandy’s report, Cloudflare says its researchers worked 24 hours per day on the issue across offices in San Francisco and London. Ormandy, putting in similarly stretched hours, documented his frustration with Cloudflare’s team over recent days: “Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt,” he wrote on Thursday. “Needless to say, this did not convey to me that they take the program seriously.”
Ormandy also noted that Cloudflare’s announcement is “an excellent postmortem but severely downplays the risk to customers.”
While the Cloudflare post puts the “greatest period of impact” from four days, Ormandy says the impact is higher and that they’ve got the data to prove it.
@pmoust Yes, they worded it confusingly. It was exploitable for months, we have the cached data.
— Tavis Ormandy (@taviso) February 24, 2017
Here’s Ormandy targeting Uber:
— ((Curi🌐us Reptile)) (@livebeef) February 23, 2017