Cloudflare Leaks Sensitive User Data Across the Web

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica

obligatory cutesy name

If this unremarkable bug in a proprietary cloud platform didn't have a cutesy name, it wouldn't be reported in the news. It would have just been fucking fixed, because fixing it is the important part, not running bullshit news about it.

Re:obligatory cutesy name

Um.. Considering the size and scope of Cloudflare, this pretty massive news.

And Cloudflare fixed it within 7 hours of learning about it. And the first thing Google did when discovering the bug was immediately reach out to Cloudflare. They went so far as to turning to Twitter to find the fastest possible route of alerting someone at Cloudflare.

But please continue to keep swearing about nothing.

Re:obligatory cutesy name

Cloudflare = Crimeflare

And who knows how long this bug has been present. Hell it may have even been intentional so the FBI, NSA, CIA, and various other spy agencies could eavesdrop.

Re:obligatory cutesy name

Cloudflare = Crimeflare

A list of impacted sites begs to differ.

Re:obligatory cutesy name

[SumDog]

I'm really surprised at the comments here. This is probably one of the largest information leaks/vulnerabilities of the past several years, and definitely the largest tech story of 2017. This is way larger than Google breaking SHA-1 (in a non-trivial way).

The HackerNews story has hundreds of comments explaining just how bad the situation is.

Re:obligatory cutesy name

[DonaId+Trump]

Yep, CloudFlare is spraying supposedly TLS-encrypted data all over the internet in clear text?! What the fuck!? I almost want to laugh at CloudFlare's misfortune, except every internet user including me is probably affected by this. What the hell is the point of HTTPS at all, when so much HTTPS traffic is being purposely MITM'd for profit by CloudFlare? A very large part of the web is living under their leaky roof, meantime many in the professional networking community encourage this and help implement it. Again I ask what the fuck!? The whole company smells more like a CIA operation as time goes on.

CLOUDFLARE IS UNDERMINING THE INTERNET, not to mention proudly serving ISIS terrorist websites, malware distributors, and DDoSers/Booters. They should be null routed and de-peered!

Re:obligatory cutesy name

And in their blog, they provided a highly detailed explanation of the bug, how it worked, and how they fixed it. You just don't see that kind of customer engagement and detail in most tech companies.

Re:obligatory cutesy name

[DonaId+Trump]

Folks, we're going to build a wall around Cloudflare and Cloudflare will pay for it! I just got off the phone with my cyber experts, Barron Trump and Alex Jones. They assured me that whitehouse.ru doesn't use Cloudflare, it's protected by something they called "FSB Security," which is the best security, believe me.

Re:obligatory cutesy name

It's because everyone technical has already left slashdot, and this is just a shadow of the former glory, full of racism and misogyny.

Its like a tech mos eisley honestly. I've about had my limit myself.

Re:obligatory cutesy name

[alexandru_preoteasa]

GTFO and don't let the door hit you on the ass, mmkay? Thx pumpkin...

Re:C strikes again

Ironically calloc would solve a lot of problems if only idiots would stop whining about how malloc is allegedly faster. It's ironic because Calloc begins with C.

Lovely

[LordWabbit2]

unnamed services for hotel booking and password management.

And THAT is why I don't use online password management sites, bloody stupid idea anyway, talk about putting all your eggs into one basket.

Re:Lovely

[fuzzyf]

As long as passwords are encrypted and decrypted on the client it's not really that much of a risk.

I think the benefit of having different complex passwords for every web/system with easy access from all devices is worth it. At least I havent managed to set up a better system for myself... yet.

MFA and a strong master password is pretty good for protecting your passwords.

Re:Lovely

[Troed]

It's fine that you don't, but those of us who are aren't really worried. Client side encryption means not trusting the transport layer - even https.

No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.

https://blog.agilebits.com/201...

(I use LastPass myself)

The security I get from having unique 14+ char completely random passwords for _every_ site by far outweighs the slight possibility that access to both my encrypted binary as well as my master password slips out. The by far easiest attack vector for that would be hacking my systems, and if that happens any system I log on to can be snooped then and there as well.

Re:Lovely

[ckatko]

>unique 14+ char completely random passwords

loln00b. ;)

I use 64-character passwords generated using openssl SHA-1 being fed with /dev/random.

I'm not even kidding. After the FIFTH GODDAMN WEBSITE LEAKED MY PASSWORDS IN ONE YEAR, I became outright furious. I'm still waiting for Congress to stop sucking corporate dicks and pass a law making it explicitly illegal to lose a MILLION user accounts, let alone a fuckin' BILLION like Yahoo did.

Re:Lovely

Problem with 64-character passwords is that a lot of websites/services truncate passwords above a certain length, often without telling the user *cough* PayPal.

Re:Lovely

[Troed]

Do you believe anything in that link should have any LastPass customer worried?

We're not. The reason why is extensively covered both in that very article and by LastPass themselves.

Re:Lovely

[sexconker]

No, the worst part is when they perform the truncation on the web end and your 64 character password gets cut down before being processed, then at a later date they change the limit and your 64 character password gets cut down to a different length before being processed, thus preventing you from logging in. This can also happen if they decide to disallow certain characters and don't bother considering that user's may have them in their passwords already. It can also happen if they silently strip out certain characters but at a later date allow them.

SCE.com had this problem several times. In one instance, they fucked up on the truncation. Their limit was 16 characters but it was truly 15. My 16 character password stopped working. Kill off 1 character from the end, boom it works.

T-Mobile's site has had similar issues in the past.

I've even run into issues where the password reset tool accepts a length and character set that the login page doesn't, so even a freshly-set and accepted password won't work.

Re:C strikes again

Would not have helped. The problem with C is that pointers carry no information about the area of memory they're supposed to be point within. C programmers use pointers like indices, but an index alone isn't enough to address memory: You need the array too, and at least conceptually that comes with a size (but of course pure C doesn't stop you from exceeding array bounds.) What happened here is that the program had lots of buffers in contiguous memory, and by exceeding the one it was supposed to work with, it didn't end up serving uninitialized memory but other (initialized and used) buffers for other clients.

Re:uninitialized memory

Would not have helped. It's a buffer overrun into other buffers that are in use, not uninitialized memory.

Re:C strikes again

If you're a gambler, you could use malloc everywhere and initialize nothing and accept the fuckups that happen with uninitialized memory, or you can be a responsible coder and use memset everywhere, but wait, since "responsible" and "coder" are contradictory, why use malloc and memset when you can use calloc which explicitly allocates from zero filled memory, so you can maintain your reputation as a badass rockstar who doesn't give a shit about initializing anything, ever!

Calloc! The drop in replacement for malloc that makes your code safer while also making it look like no fucks were given!

Re:C strikes again

[fisted]

Calloc! The drop in replacement for malloc that makes your code safer while also making it look like no fucks were given!

What a pile of shit.

Leave C to the adults, mkay?

Re:C strikes again

[ledow]

Except they wrote it in Ragel, which generates C code or asm

So, in theory, any language used like that could have generated bad / vulnerable end-code.

Re:just STOP using C already!

Good luck with that, when you write buggy code in your higher level language and your higher level language compiles to C.

Re:C strikes again

[ledow]

and ASM

Would the ASM have been bug-free?

Would any other language, with ANY amount of safe-guards been physically incapable of producing an off-by-one in it's output code?

No.

This is quite literally "Ragel took a definition, and then compiled it to bad machine code". Whether that was via an intermediary language or not, that's possible with ANY compiler for ANY language. If Java had a bug in it that resulted in incorrect machine code being generated for the "safe" Java code it was asked to execute, the same would have happened.

Bad, buggy compiler. The fact that it used an intermediate language which you disagree with is neither here nor there (and Ragel could output asm direct, so it wasn't "C-specific"). No different to a JVM-compiler bug.

Re:just STOP using C already!

[l20502]

It's hilarious because cloudflare is a pretty strong advocate of Go

Re:C strikes again

[Wootery]

No. Read the article.

For the avoidance of doubt: the bug is not in Ragel itself. It is in Cloudflare's use of Ragel. This is our bug and not the fault of Ragel.

They then explain that the root of the bug was a mistake in their flow-control which triggered an inappropriate pointer-increment.

Any happy CDN CloudFlare client around?

[CustomSolvers2]

I am genuinely curious about the actual advantages of the CloudFlare CDN.

Some time ago, I tried their most basic package and didn't notice any improvement. In fact, that site had some slow-page-loading issues which their CDN didn't reduce; additionally, some unknown-until-that-moment errors started appearing. Note that the whole point of that offer was convincing me to buy the proper version, so I assume that it was good enough. This was a quite short experience and that's why I don't have a clear opinion about them.

What I definitively find very curious is the relevant number of sites using CloudFlare. Another curious bit is that CloudFlare never fails, at least this is what the error messages say. I mean the ones which are shown when a site using CloudFlare is down, clearly stating that everything is that site's fault because the CloudFlare part is fine. I have never seen one of these error messages saying that the site is fine and CloudFlare is down.

Re:Any happy CDN CloudFlare client around?

[larkost]

The main advantages are that a) they can take a lot more load that the majority of sites can by both doing pretty good caching and having a lot of geographic redundancy (and the DNS services to handle that), and b) have an operations team that can better respond to DOS attacks than most of their customers are large enough to have (plus network-geographicly distributed resources to hopefully mitigate the attack).

They are probably not going to be faster for small-traffic websites, and they are adding a layer of complexity (so can easily be complicit in bugs, if not outright responsible for them), but if you are going to be hit with a lot of traffic (legitimate or not), then they offer a service that few smaller companies are in the position to match.

Re:Any happy CDN CloudFlare client around?

[JustAnotherOldGuy]

I use Cloudflare for a variety of sites mostly for DDOS protection. And it seems to work pretty well for that.

They claim to do a lot of caching of static content but since most of my sites are dynamic (they have to be) I've never seen much benefit from that end of it.

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

Thanks for the info. DoS protection makes much more sense than the affordable-CDN-for-everyone which I thought that was their primary business.

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

Thanks for sharing your experience. As commented above, protection against denial of service is a much more plausible explanation for their success than providing affordable CDNs.

Re:Any happy CDN CloudFlare client around?

[JustAnotherOldGuy]

I can say that I've been happy with them, and they do provide some decent/interesting metrics on site traffic.

They also have some interesting features like SSL without a cert for your site, HTTPS rewriting, DNS fiddling, some firewall stuff and page rules (which I don't use but they look like they could be very useful).

They do seem to screen out a lot of malicious traffic, if their stats can be believed (and I've no reason not to think they're real). The site is very straightforward to use and easy to figure out.

I have about 25 domains that use cloudflare. I only use their free account services but I've no complaints with them.

Re:Any happy CDN CloudFlare client around?

[indi0144]

Also don't forget about Universal SSL, which I think is related to the problems here (?). Having a central point to manage name zones is another unintended feature, you can swap domains from hosts with minimal DNS downtime. The firewall features are nice, you can block single IPs and challenge whole countries on arrival.

If you site got buggy after enabling Cloudflare most of the time is because you "optimized" the JS with a (forever beta) feature called Rocketsomething and checked JS for tidy. Or you forgot to stop caching while doing changes in the code and now you browser's cache and the updated files conflict.

While I agree that CF is in a position to be even more scary that Google (but that would break the meme) It comes down to the bang for the buck scenario, CF gives plenty in exchange for what? the swarm numbers so they can predict stuff better? Are we simply freeloading on the big corps dime? Yugedata? What? You never know, just that it is free and theres no evil stalking pushing you to upgrade, the paranoid in me "knows" but just can put the finger on it.

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

feature called Rocketsomething

Yes, I do recall that feature, but I think that this wasn't the reason for my problems. Apparently, they didn't emulate my original conditions perfectly in their copy. But as said, this was a short test over 1 year ago of a free version, so it might have been anything.

While I agree that CF is in a position to be even more scary that Google

No doubt on that. They are plainly getting full copies of all your web-files and storing them in servers you cannot reach. This is plainly a fear-based business where you have to almost blindly trust your defenders. It is way much more invasive than what antivirus do, as far as they are fully managing (copies of) all your information without you being present at all. They even become your eyes/window to the external world, the only way you have to know about problems and solutions. In any case, I guess that there is no alternative, at least when dealing with big enough sites.

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

They do seem to

This is the bit which kind of puzzles me. During my quick test, I recall to have seen many threats being blocked. On the other hand, before using it or after disabling it, my site continued running fine (although motivatedly slow). So, the only improvement which I saw on the security front was getting a list of stopped threats, about which I wasn't aware and which didn't seem to have a relevant impact on my site.

I can say that I've been happy with them

This is all what matters. Although I didn't get a good impression about all this, I recognise my limited expertise and want to hear about others' experiences. People using a given product and being happy with it is a much more relevant feedback than preliminary impressions and abstract assumptions.

Re:Any happy CDN CloudFlare client around?

[JustAnotherOldGuy]

This is the bit which kind of puzzles me. During my quick test, I recall to have seen many threats being blocked. On the other hand, before using it or after disabling it, my site continued running fine (although motivatedly slow). So, the only improvement which I saw on the security front was getting a list of stopped threats, about which I wasn't aware and which didn't seem to have a relevant impact on my site.

I think that 99.9999% of attacks don't succeed which is why we never notice them. Sometimes even when they do succeed we may not notice that the site's been compromised. It depends what the end goal is. Maybe they just want file storage space, maybe they use the site as a low-level attack platform, or use it as part of a botnet, or to run more scripts, etc.

I look through my server logs on some of my unprotected sites and I see a never-ending stream of GET-style attacks and queries and attempted SSH logins which are absolutely malicious in nature. (Fuzzing, malformed queries, GET requests that are obviously probes for vulnerable forms, attempted logins from China, the Maldives, Sweden, etc etc.) They go on 24/7, every single day of the year non-stop. Sometimes there are loads of them, sometimes just a few in any given hour or minute, but they're there.

My guess is that cloudflare is intercepting and stopping many of them, but I really haven't dug into it to see what the specifics are. I don't know if they provide a detailed log of threat activity, I'll have to go look and see if they do.

One thing that cloudflare does is conceal the actual IP that the site is on, and that helps prevent direct DDOS attacks to the IP address. However, you have to make sure that the site doesn't do anything that reveals its IP, like sending confirmation emails that would of course show the originating IP.

Put it behind cloudflare, make sure the IP address isn't discoverable, and you'll be in pretty good shape. If the site does start to get hammered you can go into the cloudflare control panel and turn on a higher level of protection like temporary CAPTCHAs for page requests and stuff like that.

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

I look through my server logs on some of my unprotected sites and I see a never-ending stream of GET-style attacks and queries and attempted SSH logins which are absolutely malicious in nature

I have also seen lots of malware-wannabe bots visiting my two sites (with very low traffic), but never really dangerous attempts. Most of them do completely stupid actions like expecting the database to be in a very specific location (and accessible via HTTP!!) or visiting pure gibberish. The less stupid ones look for what seem known exploits of applications, but in a pretty naive and arbitrary way (e.g., expecting to find WordPress files in a specific location when WordPress isn't even installed on that server). But, as said, I understand that the situation of my sites has nothing to do with the ones involving big (or many) sites: they get low traffic (+ don't contain valuable information which isn't public), I wrote their whole code from scratch and are hosted by a good hosting provider which takes care of quite a few issues for me.

Put it behind cloudflare, make sure the IP address isn't discoverable, and you'll be in pretty good shape.

Curiously, I had an argument with my internet provider this morning about their peculiar way to manage the visibility of my local network IP address. Unfortunately, what you propose isn't applicable to my situation because I will be certainly using that IP in quite a few places.

Thanks again for your feedback and helping me understand better what CloudFlare provides exactly; in any case, I am not planning to start using their products. For the time being, my overall impression about them has changed from kind-of-bad to kind-of-neutral :)

Re:Any happy CDN CloudFlare client around?

[JustAnotherOldGuy]

(e.g., expecting to find WordPress files in a specific location when WordPress isn't even installed on that server)

Yep, these are the mindless bots, just hitting every domain that they can, checking for a Wordpress installation. If they find one then they kick into a more dedicated exploit mode or they note the URL and another bot comes along later to do a comprehensive search for vulnerable WP plugins.

If you use Wordpress, I highly recommend the "Wordfence" plugin- it stops a LOT of stuff and is highly configurable. I consider it a must-have plugin for any WP site.

-

Thanks again for your feedback and helping me understand better what CloudFlare provides exactly

You're welcome.

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

If you use Wordpress

No, I don't. WordPress or anything else. As said, I created both my sites from scratch (= wrote each single character of their codes); as far as programming is my work, why not using my sites as a permanent self-promotion? In the past, I did relied on WordPress to take care of secondary functionalities and didn't like that experience too much (I prefer my code :)).

must-have plugin for any WP site.

Even in the unlikely scenario of using WordPress, I wouldn't use plugins unless under very specific circumstances. If WP implies an increase of uncertainty (unsafety, unreliability, incompatibility, etc.), WP plugins extend that risk by orders of magnitude. I can do anything in PHP or in any other language myself (+ like coding + it is a self-promotion), why introducing potentially-problematic third elements when not required? I am not just talking about my situation or the one of any other experienced programmer: plugins aren't absolutely bad, but they shouldn't be included by default as the first option either.

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

PS: just in case that it wasn't clear, bear in mind that with "my sites" I meant customsolvers.com (main site) and varocarbas.com (where I store R&D-oriented anything). Their main purpose is to promote and to give some visibility to my work as a programmer (I don't get any direct income from the visitors they get). Also note that I don't manage others' websites (don't even build them).

Re:Any happy CDN CloudFlare client around?

[JustAnotherOldGuy]

No, I don't. WordPress or anything else. As said, I created both my sites from scratch (= wrote each single character of their codes);

Same here for 99% of my sites. There are a couple of quickie Wordpress sites I've put up (one for my wife's business, stuff like that) but other than that I code it all by hand, no IDE, just CEdit and a lot of coffee. :)

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

by hand, no IDE, just CEdit and a lot of coffee. :)

Exactly like me except for the editor (NotePad++ over here); at least, when using PHP. With other languages like C#, I also enjoy fully-featured IDEs.

Re:Any happy CDN CloudFlare client around?

[JustAnotherOldGuy]

Heh heh, I used Notepad++ for a long time.

Give Crimson Editor (CEdeit) a try, it's a lot like Notepad++ but it does a few extra things like bracket-matching, keyword highlighting some other handy stuff: http://www.crimsoneditor.com/

I use it in a very 'minimal view' mode, but I like it a lot.

Re:Any happy CDN CloudFlare client around?

[CustomSolvers2]

Give Crimson Editor (CEdeit) a try, it's a lot like Notepad++ but it does a few extra things like bracket-matching, keyword highlighting some other handy stuff

Notepad++ does all these things since long time ago. Perhaps you should re-try it :)

Re:C strikes again

Are you denying that calloc can be used everywhere malloc can be used?

On the C Abstract Machine, it can. In the real world (and especially in needlessly linux-specific code), calloc can be^Wappear so much faster. If you allocate a buffer and rely on access being fast right away, calloc might come around and bite you in the ass because of the COW semantics that linux' calloc seems to have.
So using calloc instead of malloc could in theory break some pseudo realtime things.

That said, the inverse is not true, i.e. you cannot necessarily replace your every calloc with a malloc+memset. I'll leave it as an exercise to you to find out why. Shouldn't take all too long, given that you appear highly competent at C.

Are you denying calloc has the beneficial side effect of returning a pointer to zero filled memory?

Side effect? You can not be serious. Yes, it gives you a pointer. No, the memory isn't necessarily zero-filled, or exists in the first place until you first hit it.

Or are you simply a stupid fucking snowflake who objects to crude humor?

Of course I object to crude humor, but what does that have to do with anything? I'm objecting to idiots, which often makes me reply on /. Like here.

Re:C strikes again

[boa]

If you're a gambler, you could use malloc everywhere and initialize nothing and accept the fuckups that happen with uninitialized memory, or you can be a responsible coder and use memset everywhere, but wait, since "responsible" and "coder" are contradictory, why use malloc and memset when you can use calloc which explicitly allocates from zero filled memory, so you can maintain your reputation as a badass rockstar who doesn't give a shit about initializing anything, ever!

Calloc! The drop in replacement for malloc that makes your code safer while also making it look like no fucks were given!

Sometimes, initializing memory -- just for the sake of initialization -- creates or hides errors. This includes, but is not limited to, allocated memory. For example, Valgrind will not be able to detect reads of uninitialized data if all data always is set to 0. Valgrind is an extremely powerful tool which can track down really obscure bugs, so it's wise to play ball with Valgrind.

Another example may be to initialize a local variable to some default value, blocking the compiler from emitting a proper warning.

Re:What cloud

[Ash-Fox]

All "cloud" means is literally SOMEONE ELSES COMPUTER

But I run my own cloud, so, no it doesn't. Stop lying.

Re:just STOP using C already!

[JustAnotherOldGuy]

It's hilarious because cloudflare is a pretty strong advocate of Go

I can't believe they didn't use Rust or Malbolge or Visual Basic.

As a career security professional, I'm not too wor

[raymorris]

Part of what I do for a living, and have done for many years, is evaluate these kinds of vulnerabilities. This could have been really, really bad, a major story. Certainly it would be a big deal if all of the following were true:

If the issue existed for a long time.
If the bad guys knew about it before it was fixed.
If it affected sites that had something vaguely resembling valid html.
If it could have leaked tls/ssl keys.

In the security field, we have a mostly objective scoring system called CVSS which gives a numeric score to how bad the risk is. This scores high enough that it needed to be fixed right away - and it was fixed right away, probably before any bad guys knew about it.

Given the details of the issue, and how it was handled by first Google and then Cloudflare, I don't think it's the biggest story of the year. Cloudflare fixed it within hours and got cached copies of affected pages removed from search engine caches. All evidence indicates this was done before any bad guys were aware of the issue. I'm not too concerned. That's my professional opinion. My opinion would be different if it were left unfixed for six years after it was publicly known, then half fixed for six more years (looking at you, Microsoft).