THE INTERNET INFRASTRUCTURE company Cloudflare, which provides a variety of performance and security services to millions of websites, revealed late Thursday that a bug had caused it to randomly leak potentially sensitive customer data across the internet.
The flaw was first uncovered by Google vulnerability researcher Tavis Ormandy on February 17, but could have been leaking data since as long ago as September 22. In certain conditions, Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid—onto the website of a smaller subset of customers. In practice, it meant that a snippet of information about an Uber ride you took, or even your Uber password, could have ended up hidden away in the code of another site.
For the most part, the exposed data wasn’t posted on well-known or high-traffic sites, and even if it had been it wasn’t easily visible. But some of the leaked data included sensitive cookies, login credentials, API keys, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys. And as Cloudflare’s service spewed random information, that data was being recorded in caches by search engines like Google and Bing and other systems.
“Because Cloudflare operates a large, shared infrastructure, an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site,” Cloudflare CTO John Graham-Cumming explained in a blog post on Thursday. The leak did not expose the transport layer security keys used in HTTPS encryption, but it does seem to have potentially compromised data protected in HTTPS connections. And while Graham-Cumming added that there’s no indication in Cloudflare’s logs or elsewhere that bad actors had taken advantage of the flaw, looking for leaked data that hasn’t yet been scrubbed has become something of an internet-wide scavenger hunt.
The good news is that Cloudflare acted quickly to address the bug. It pushed a preliminary fix less than an hour after learning about the issue, and permanently patched the flaw across all its systems around the world in under seven hours. But while the company has worked with Google and other search engines to scrub caches and rein in the exposed data—so that people can’t just run searches to find and collect sensitive information from the leak—the fallout remains.
What Happens Now
Cloudflare CEO Matthew Prince says that only clients who have certain HTML on their sites and were using a particular set of Cloudflare settings—3,000 customers in total—were triggering the bug while it was active. The data that leaked out and was deposited on their sites could come from any Cloudflare customer whose data happened to be in server memory at that particular moment. Prince says that so far Cloudflare is aware of 150 of its customers whose data was impacted in some way. “It’s obviously very serious for us, and it’s very serious for our customers, but for the individual WIRED reader the chances of this impacting them is relatively minimal,” Prince says. “We don’t like screwing up. It hurts. I don’t want to downplay the severity of this. It was a very bad bug.”
To mitigate whatever risk does remain, security researcher and former Cloudflare employee Ryan Lackey suggests changing every password for every online account, since the “Cloudbleed” leak could have exposed anything. “It’s coming out of a universe of all possible data that went through Cloudflare in the past six months, so there’s a lot of potential data,” says Lackey. “But the odds of any given piece of data being in there are very low.” Taking standard security hygiene measures like updating passwords and enabling two-factor authentication is always the best first line of defense. And since this Cloudflare bug has such unpredictable results, it’s smart to protect yourself even though you may not have been specifically exposed.
Some Cloudflare customers can also rest easier than others. For example, AgileBits, which makes the popular password manager 1Password, reassured its users on Thursday that none of their secrets, including the master password at the core of each account, could have been exposed by the bug. “We designed 1Password with the expectation that SSL/TLS can fail,” wrote AgileBits product security officer Jeffrey Goldberg. “Indeed it is for incidents like this that we deliberately made this design.”
For data traveling in plain text, though, the leak has real repercussions, especially if bad actors discovered it before Ormandy did. Then again, it may not have been worth the hassle.
“I’m not sure it’s the most productive way to attack a given site,” says Lackey. “I think there are a lot of easier ways to attack almost everything. And it’s not a really good targeted attack against a specific user.”
For now, the debacle’s major significance is a dramatic reminder that internet infrastructure and optimization services like Cloudflare may offer stronger and more resourced security protections than the average website would probably implement on its own, but that convenience also creates a different type of large-scale risk.
“The problem is Cloudflare is such a big target that if it were seriously compromised it would be a potentially internet-destroying thing,” Lackey says. “The real impact of this [incident] is it shows how critical Cloudflare has become on the internet.”