Cloudflare Bug Leaked User Data from Multiple Websites

Web service company Cloudflare revealed that due to a system error, some of their products accidentally leaked private user information from multiple websites.

A bug in the service’s system, which has since been nicknamed “Cloudbleed” in reference to the 2014 Heartbleed bug, is reported to have leaked sensitive user information from websites such as OK Cupid, Uber, and Fitbit. Cloudflare’s bug was first noticed by Tavis Ormandy of Google’s Project Zero, who reached out to the company via Twitter.

The bug involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Cloudflare servers were running past the end of a buffer and were returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data, some of which had been cached by search engines.

Cloudflare released a statement on their website explaining their solution to the issue:

Having a global team meant that, at 12-hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.

CloudFlare explained that the greatest period of vulnerability was from February 13 and February 18, with around 1 in every 3,300,000 HTTP requests through CloudFlare’s services resulting in a memory leak. Cloudflare fixed the issue and implemented a newer feature in order to ensure that a similar leak does not occur again.

“The engineers working on the new HTML parser had been so worried about bugs affecting our service that they had spent hours verifying that it did not contain security problems,” CloudFlare’s statement reads. “Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it. Our internal infosec team is now undertaking a project to fuzz older software looking for potential other security problems.”

Read the full incident report on the CloudFlare website here.