bit-tech.net

Cloudflare hit by major security vulnerability

Cloudflare hit by major security vulnerability

CDN and security provider Cloudflare has been leaking data from its TLS connections, Google researcher Tavis Ormandy has discovered - and despite his best efforts, the flaw is now known as Cloudbleed.

Popular middleman web service Cloudflare has been hit by a serious security flaw, admitting that it has been leaking information from clients' TLS-protected traffic over the past few months.

Designed primarily as a content delivery network (CDN), Cloudflare offers its customers a range of services from protection against distributed denial of service (DDoS) attacks through to analytics. Sitting between a visitor and the actual web server, Cloudflare caches content and can also decrypt then re-encrypt TLS protected traffic or even decrypt the traffic altogether and send it on to the target server unprotected, leaving the visitor with the false impression that the traffic is fully protected on its journey. While that's a potential security issue affecting those who don't offer HTTPS connectivity on their webservers, Cloudflare users have been hit with a more serious flaw: information leakage even when using TLS protection.

Discovered four days ago by Google Project Zero member Tavis Ormandy, the flaw is major. 'If an HTML page hosted behind CloudFlare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialised memory into the output,' Ormandy explained of his findings in his bug posting. 'My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates HTML - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers. We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users.'

The data gathered are the sort of thing that should definitely not be public knowledge: private keys for encryption systems, plain-text passwords, and even scraps including private messages from dating sites. With Cloudflare protecting some major websites - including two-factor authentication service Authy.com, hosting site Digital Ocean, dating site OKCupid, crowdfunding site Patreon.com, notorious Bittorrent tracker The Pirate Bay, and even Transport for London's official website - the flaw is widespread and severe.

Cloudflare, for its part, responded to the problem quickly and has since taken down the affected services in order to restore security to its users. It's possible, however, that anyone using any of the affected sites had personal information leaked - leaving members of an estimated 4,300,000 domains needing to change their passwords in order to ensure they remain secure.

Cloudflare has published a post-mortem on the bug, which may have been active since mid-2016. Both Cloudflare and Google have resisted giving the flaw a name, though Ormandy joked that 'it took every ounce of strength not to call this issue "cloudbleed,"' in reference to the earlier Heartbleed vulnerability - ensuring, naturally, that the media immediately started calling the issue Cloudbleed and a pseudonymous designer contributed the logo used to illustrate this article.

9 Comments

Discuss in the forums Reply
Mr_Mistoffelees 24th February 2017, 12:36 Quote
How would I go about checking to see if "secure" sites, I have given personal information to, use Cloudflare hosting?
Gareth Halfacree 24th February 2017, 13:09 Quote
Quote:
Originally Posted by Mr_Mistoffelees
How would I go about checking to see if "secure" sites, I have given personal information to, use Cloudflare hosting?

There's a list of them here, but bear in mind not all the sites listed may have been affected - some may only be using Cloudflare on certain subdomains and not others (like using it as a CDN for images but sending important traffic straight to the real server.)
jb0 24th February 2017, 13:18 Quote
Quote:
Originally Posted by Mr_Mistoffelees
How would I go about checking to see if "secure" sites, I have given personal information to, use Cloudflare hosting?

Well, no one uses Cloudflare hosting, because Cloudflare doesn't offer hosting. But you almost certainly visit a few sites that use the services Cloudflare DOES offer. Because darn near everyone uses Cloudflare. Everything from Fitbit to 4chan.
Gareth Halfacree 24th February 2017, 13:22 Quote
Quote:
Originally Posted by jb0
Well, no one uses Cloudflare hosting, because Cloudflare doesn't offer hosting.
Point of fact, m'learned friend: Cloudflare does offer hosting, 'cos it's a content delivery network (CDN) at its heart. You can't host an entire website on it, to be sure, but its primary function is to take commonly-requested static files on your host and move 'em onto Cloudflare servers throughout the world as a means of A) making things faster for visitors from afar and 2) saving you bandwidth.

Sure, you wouldn't describe it as a 'web host,' but equally to say it doesn't offer hosting ain't quite right neither.
jb0 24th February 2017, 13:54 Quote
I stand corrected. Point grudgingly conceded.

Incidentally, I was swinging back by to add a Github link where someone is trying to assemble a list of everyone using Cloudflare. (As well as a Cliffs Notes version that just lists the Alexa top 10000 sites, since no one's got time to read all five million URLs).
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
Gareth Halfacree 24th February 2017, 13:59 Quote
Quote:
Originally Posted by jb0
Incidentally, I was swinging back by to add a Github link where someone is trying to assemble a list of everyone using Cloudflare. (As well as a Cliffs Notes version that just lists the Alexa top 10000 sites, since no one's got time to read all five million URLs).
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

You mean the one I linked to in this 'ere comment? ;)
jb0 25th February 2017, 07:40 Quote
I... yes, I do. My only excuse is that it was very late for me.

Excuse me while I hang my head in abject shame.
mi1ez 26th February 2017, 21:23 Quote
Yeah, we were watching this unfold at work!
ZeDestructor 26th February 2017, 21:24 Quote
Quote:
Originally Posted by Gareth Halfacree
There's a list of them here, but bear in mind not all the sites listed may have been affected - some may only be using Cloudflare on certain subdomains and not others (like using it as a CDN for images but sending important traffic straight to the real server.)

At that point though, there's a good argument to be made to just change all your affected passwords.

...I have over 600 of the bloody things to check, and at least 100 to change...

urgh:(
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums