CloudFlare Server Bug Sees Sensitive Customer Data Exposed As Plain Text

Google’s Project Zero alerts the content delivery network firm to the flaw

Sensitive data has been leaked across the Internet by CloudFlare for months due to a memory leakage bug in the content delivery network’s edge servers.

Rather than a malicious data breach caused by hackers, the leak was down to a flaw that enables sensitive information such as passwords, cookies, and authentication tokens to be visible as plain text on websites of CloudFlare’s customers.

Normally this information is obscured from view or encrypted, but the bug would have allowed for visitors to see the sensitive data on the sites for which CloudFlare provides content delivery, security and performance services.

CloudFlare bug flares-up

3d render of mite bugNow patched, the flaw in the CloudFlare’s edge servers is reported to have been active since September 2016, and remained that way for five months until it was spotted by Google’s Project Zero cyber security team.

“Our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines,” explained John Graham-Cumming, CTO at CloudFlare.

Overall, Graham-Cumming said the memory leakage only affected 0.00003 percent of HTTP requests made to CloudFlare’s edge servers – around one in every 3,300,000 HTTP requests. However, given CloudFlare’s customers number around five million, that still means a good number of websites could have been affected by the bug.

Furthermore, the cached data made it challenging for CloudFlare to conduct clean up operations after the bug was patched, as it needed to ask browser providers, such as Google, Yahoo and Microsoft’s Bing to remove the sensitive data from their user’s browser caches.

That being said, Graham-Cumming noted that there has been no indication that the leaked data has been exploited by malicious actors or hackers, as CloudFlare would have detected unusual activity on its customer’s websites should that have been the case.

Yet this does not mitigate that the bug was a major security flaw, particularly as it not only exposed passwords and other security data but also exposed potentially embarrassing private messages made by users of the OKCupid online dating service as well as messages on what a Project Zero researcher describes as a well-known chat service.

“We keep finding more sensitive data that we need to cleanup. I didn’t realise how much of the internet was sitting behind a Cloudflare CDN until this incident,” Project Zewro member Tavis Ormandy said.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Such data breaches appear to be increasingly common; CloudFlare was lucky that no damage has really been done from the leak. But Yahoo has felt the sting of a major breach in both reputation and monetary terms.

How well do you know network security? Try our quiz and find out!