On February 17, 2017, Google Vulnerability Researcher Tavis Ormandy discovered a bug directly affecting sites that use Cloudflare’s Content Delivery Network feature and those with accounts on websites that uses Cloudflare’s web security and acceleration features. This vulnerability resulted from a programming error and led to private data being leaked to web users and subsequently cached - or saved to be accessed by users in the future - on the users’ computers and by search engine providers like Google, which regularly cache web pages as well. Tavis immediately reached out to Cloudflare to alert them of the bug and began working with them and their global team to resolve the issue.
Who is Cloudflare?
Cloudflare is a US-based company with offices all over the world providing a content delivery network, internet security services and DNS services. They handle traffic for a large portion of the internet, including popular applications like 1Password, Uber, Calendars.com, OKCupid and many more. They are in essence a middle man handling traffic for millions of websites.
How exactly does the bug work and has it been fixed?
This bug caused sensitive information to be exposed to users and search engines - personally identifiable information, private emails, login information and passwords - to users who were not requesting that information. In short, a user who was requesting site A might have been sent a random chunk of data relevant to site B, where both A and B send their traffic through specific parts of Cloudflare’s network.
This is the first part of why the bug is so dangerous: users are receiving information they shouldn’t have in many cases without requesting it, knowing about it, or intending to use it maliciously. But even if most users who were served such data had no malicious intent, there are always those out there who will exploit this type of bug. The second reason this bug is so dangerous is because of a common process in internet hosting and search called caching—in essence, your local computer, search engines like Google, and many others keep their own copies of sites they’ve requested in the past in their “caches”. In a case like this where data was inappropriately disclosed, it was also kept in a variety of these cache locations outside of any central control—rather than being a serious but passing problem, the leaked data was saved in a lot of third-party locations that have to be cleaned up as well.
As soon as Cloudflare was alerted to the vulnerability they began working to isolate the cause and develop a fix. The Cloudflare team determined that three features were responsible for the leak and promptly disabled those features. Referencing the inappropriately cached data, Cloudflare said in its announcement that they have been working with their team and search engines to detect what data was cached and “purge” it.
The leak has been stopped and Cloudflare is in the process of scrubbing leaked data that was cached as an attempt to minimize the impact of the disclosure but at this point no one can guarantee a complete removal.
What does this mean for me?
Change your passwords on sites affected by the leak. It’s very possible you have an account on a website that was affected by this leak, consequently putting your information at risk. This also means that in the coming days/weeks you could receive emails from sites alerting you to change your password. These emails will most likely contain a link that will take you directly to a “change password” page. We urge you: DO NOT CLICK THIS LINK. While the all caps might be dramatic it’s important that you go directly to the service in question’s main web page to change your password. With vulnerabilities of this type, it’s common for hackers to attempt to try to take advantage of the chaos and confusion and make things worse by tricking users into giving up their password via bogus password reset links sent via email. While we strongly urge you to reset passwords for any sites that may have been impacted, we urge you to also be smart and avoid falling for phishing attacks.
Vulnerabilities like these are why we always suggest using Two-Factor Authentication and Password Managers to keep your network secure and to make changing and storing passwords in the event like this much easier.
Response to the Announcement
While there has not been a formal statement from Cloudflare’s executives, high profile clients that use Cloudflare services have made statements about the vulnerability.
Uber released the following statement to Swati Khandelwal at The Hacker News: "Very little Uber traffic actually goes through Cloudflare, so only a handful of tokens were involved and have since been changed. Passwords were not exposed."
And 1Password released the following post regarding the leak.
As always please feel free to reach out should you have any questions, or interest in implementing security procedures in your business.