A serious flaw in the software code of one of the world's largest internet service companies has resulted in sensitive data being leaked across the internet. In a post-mortem blog entry, CloudFlare detailed how its edge servers were affected by a buffer overrun, causing requests made to websites using CloudFlare’s services to return bits of random data, potentially including private information such as API keys, user credentials, passwords, cookies and even private messages. The leaked data was also cached by search engines, increasing the chances that that it could have been used for malicious purposes. The flaw has been informally called “CloudBleed” because of its similarities to the earlier HeartBleed vulnerability.
“CloudBleed” was initially discovered by Google researcher Travis Omandy, who reported the problem after observing unusual behavior from HTTP requests to websites that were running CloudFlare-based services. After analysis, CloudFlare traced the problem to its new cf-html HTML parser. Specifically, the problem involved a small error in the code which had been present in its older Ragel parser for years, but one that only surfaced when the switch to a new parser changed the buffering, causing the leak to occur.
CloudFlare’s immediate response was to disable features that were using the HTML parser causing the leak. In addition, it deployed a team to identify and fix the bug in the parser, which it managed to accomplish in a relatively short amount of time, minimizing the potential damage before the information became more widespread.
Should internet users be worried?
Given the number of websites using CloudFlare’s services and the lengthy period of time in which the leakage was potentially active (the earliest possible date being September 2016), it seems that there should be cause for concern, especially for users who regularly use CloudFlare-affiliated websites. However, the company also noted that the actual impact of the leakage is relatively minor. It estimated that during the February 13- 18 period in which the leak had the greatest impact, roughly 1 in 3,300,300 or roughly 0.00003% of HTTP requests made through CloudFlare could have potentially resulted in memory leakage.
This, combined with CloudFlare’s quick response to the incident, means that the leak’s impact should be minimal. Still, it should serve as a reminder for all internet users to take steps to secure their most important digital assets – especially if these contain sensitive data.