Cloudflare Security Bug Exposed Data from 3,400 Websites

Cloudflare Security Bug Exposed Data from 3,400 Websites

ArsTechnica on Thursday reported a bug in Cloudflare, a popular content delivery network. The bug caused the user data from 3,400 websites to be leaked and cached by search engines. Sites affected the last several months include Uber, Fitbit, OK Cupid and more.

Cloudflare Security Bug Exposed Data from 3,400 Websites

A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time, by making Web requests to affected websites, and to access some of the leaked data later by crafting queries on search engines.

While 1Password also uses the CDN, app developer AgileBits says its end-to-end encryption prevented any customer data from being exposed. The leaks were first spotted by Google security researcher Tavis Ormandy. He observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users.

Cloudflare Admits to Data Breach

Cloudflare admits a breach took place but maintains there is no evidence of the bug being exploited by anyone.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

Ormandy and other security experts believe the company is downplaying the severity of the leak. Ormandy responded to the Cloudflare blog post:

Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers.

They’ve left it too late to negotiate on the content of the notification.

Users Should Change Their Passwords

Security researcher Ryan Lackey (via 9to5Mac) says that while the probability of password information having been exposed is low, users should still change their passwords for affected services.

While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet

[…]

The most sensitive information leaked is authentication information and credentials. A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced. From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords.

Some Cached Data Remains

Search engines worked to clear any data cached from the breach before anyone announced it. However, ArsTechnica notes that some cached data remains.

Cloudflare researchers have identified 770 unique URIs that contained leaked memory and were cached by Google, Bing, Yahoo, or other search engines. The 770 unique URIs covered 161 unique domains. Graham-Cummings said Thursday’s disclosure came only after the leaked data was fully purged, with the help of the search engines. Google cache, however, appeared to show data remained exposed by the bug, as evidenced by links such as this one, and social media threads including this one.

We’ll keep you posted.