CloudFlare which helps in optimising security of over 5.5 Million websites, is under the threat of harmful bug “Cloudbleed”.
This vunerability leaks sensitive information, including passwords, cookies and tokens used for user authentications.
What is Cloudbeed?
Google Project Zero security researcher Tavis Ormandy discovered a security bug (Cloudbleed) in the CloudFlare Internet infrastructure service. Cloudbleed causes the leakage of private session keys and other sensitive information across websites hosted behind Cloudflare.
CloudFlare acts as a proxy between the user and web server. It caches content for websites and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.
Ormandy discovered a buffer overflow issue with Cloudflare’s edge servers that were running past the end of a buffer and were returning memory containing private data like HTTP cookies, authentication tokens, and HTTP POST bodies, with some of the leaked data already cached by search engines. Read Ormandy’s Blog post.
Morever, the root cause of the Cloudbleed vulnerability was that “reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer.”
How it Affects?
Cloudbleed is similar to the 2014 Heartbleed bug in allowing unauthorized third parties to access data shielded with Transport Layer Security (TLS). As a result, It can affect a security and content delivery service used by close to 2 million websites.
According to Ormandy, Cloudflare had code in its “ScrapeShield” feature that parses and obfuscates HTML, but since reverse proxies are also shared among customers, it would affect all CloudFlare customers.
Since,there are a large number of Cloudflare’s services and websites that use parsing HTML pages. So,there is a chance that websites you visit may have been affected.
This leakage contains sensitive data flowed between servers and end-users through CloudFlare’s proxies.
In addition,it also affects mobile apps which use same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.
Moreover, Some of the Cloudflare’s major customers affected by the vulnerability included Uber, 1Password, FitBit, and OKCupid.
Have a look at this list of affected sites on Github.
What one should do?
In Conclusion, Customers who are using Cloudflare for their websites are advised to force a password change.
Moreover, Users are also recommended to reset their passwords for all accounts in case using same password on every site.
It is also recommended for accounts protected by 2-factor authenticaton.