Cloudflare and "Cloudbleed": investigations under way

Cloudflare is a known brand associated with online security solutions and CDN (Content Delivery Network). In the last week the company ha...

Cloudflare is a known brand associated with online security solutions and CDN (Content Delivery Network). In the last week the company has however come under the spotlight of specialized sites because of a flaw (now patched) that would cause the "random leak" of sensitive data (theoretically passwords, cookies, authentication tokens, etc.) on the portals of numerous customers. The list of companies that rely on CloudFlare is long: the US provider offers services to more than 5 million websites - that explains the apprehension of the Network following the official announcement released on 23/2.
Based on the findings from security researchers Google team (Project Zero), the flaw was introduced in the ecosystem CloudFlare September 22, 2016, as a result of the incorrect implementation of certain features (Automatic HTTPS Rewrites, email obfuscation, email obfuscation) with a new HTML parser - designed to increase overall performance. The Mountain View analysts initially thought that it was an internal bug, so the Google itself, but rose rapidly to Cloudflare. Because of random leaks of sensitive data, the team decided to nickname the bug Cloudbleed, a "tribute" to the equally well-known heartbleed - which many seem to have forgotten.

Investigations in progress for Cloudbleed

Despite the investigations are still in progress, you already have some details on the scope of the "leak of sensitive data." First, the leak occurred in two distinct phases: the first is collacabile between 22/09/2016 in February 2017 and involved about 180 sites. The second instead goes from the beginning of February 2017 until 22 the same month, the day that Google analysts have notified the problem Cloudflare. As regards the number of sites involved, the proportion rises to 6547 because of the rollout of the HTML parser on a larger scale.

As stated by the same Cloudflare however, the loss more consistent data took place between 13 and 18 February 2017, during which the bug would manifest every 3 million or HTTP routed calls to Cloudflare sites. Intruders could steal the information in real time or via the cache of the major search engines (Google, Bing, Baidu, etc.). And the latter have helped the provider to cancel over 80,000 pages in the cache by limiting the damage caused by Cloudbleed.

Since the random loss of information, it is difficult to determine how many bytes are actually leaked. Cloudflare says that there are still elements that confirm the use of the flaw by malicious but further investigations. A hacker could send you a large number of requests to a portal, but given the random nature of the bug, it would be impossible to control them.