The Windows Club

CloudBleed: The Security threat that is taking the Internet by a storm

CloudBleed is one of the biggest security threats of all time, and it’s at its prime currently. Cloudflare, the content delivery provider, recently got a bug that has caused a LOT of personal data, from passwords to user details to bank information, to leak out on the Internet.

Ironically, Cloudflare is one of the biggest internet security companies and was brought to scrutiny last year through Google’s vulnerability report against them. But the worse news is that Cloudflare-backed up sites have probably been leaking data much before it was discovered by Google analysts. And, with clients like FitBit, Uber, and OKCupid, there is a lot to worry about Cloudflare’s clients. So, the first step you need to take is to change ALL your passwords on every account on the Internet and enable two-factor authentication wherever possible.

CloudFlare, while one of the more popular Internet services in the world, is a relatively unknown name. This is because it works behind the scenes to make sure that websites are protected by a web firewall. It is also a CDN, Domain Name Server, and DDoS Protector services company that offer a whole menu of products for major websites. And, that is the big irony of the situation. Being a ‘content security’ specialist organization, Cloudflare should have been the last place to have a malware attack this big. After all, countless companies pay Cloudflare to help keep their user data safe. The Cloudbleed blunder did the opposite of that.

Details of CloudBleed

The name derives its origin from the Heartbleed bug, which is quite similar to the new one. In fact, apparently, the Cloudbleed bug is a result of an error. A single character in Cloudflare’s code has seemed to cause the disaster. This is currently no information on whether this is human error or deliberate action, but it will seem much more apparent once the company comes out in public to claim the attack.

Right now, there is just this blog post to get our ‘facts’ from. It mentions that the issue arises from the company’s decision to use a new HTML parser called cf-HTML. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.

Both cf-HTML and the old Ragel parser were implemented as NGINX modules compiled into our NGINX builds. These NGINX filter modules parse buffers (blocks of memory) containing HTML responses, make modifications as necessary, and pass the buffers to the next filter. It turned out that the underlying bug that caused the memory leak had been present in their Ragel-based parser for many years, but no memory was leaked because of the way the internal NGINX buffers were used. Introducing cf-HTML subtly changed the buffering which enabled the leakage even though there were no problems in cf-HTML itself.

What this means in layman’s terms is that the intentions of Cloudflare were perfectly harmless. They just tried to store user data in the most efficient location possible. But when this location had its memory full, they stored it on other websites from where it leaked to the infinity and beyond. Now the almost impossible task is to gather all those numerous websites and claim back the data.

How to stay protected against Cloudbleed affected sites

Security Expert Ryan Lackey, the owner of CryptoSeal that was acquired by Cloudflare in 2014, has some tips for you to protect yourself while you can.

“Cloudflare is behind many of the largest consumer web services, so rather than trying to identify which services are on CloudFlare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites. Users should also log out and log into their mobile applications after this update. While you’re at it if it’s possible to use 2FA or 2SV with sites you consider important.” Lackey said.

Find out if you visited Cloudbleed affected sites

These two browser extensions will let you check if you have visited sites affected by CloudFlare’s security issue: Firefox | Chrome. Install them and initiate the scan to find out if you recently visited any Cloudbleed affected websites. The

In any case, it might be a good idea to change the passwords of your online accounts and stay safe.

Extent of the leak

The most unusual part about the entire fiasco is that it is not possible to judge who and what all has been affected. CloudFlare claims that only a minute part of the entire database has been leaked by CloudBleed on request, but this is coming from a company that didn’t know about this bug until someone from Google pointed it out specifically. Add to that, the fact that a lot of their data was cached on other third-party sites, and you might never know what all data has been compromised or not. But, that’s not all. The problems aren’t just limited to Cloudflare’s clients – companies having numerous Cloudflare clients as users are also expected to be affected.