Yesterday, an incident report was posted on the official Cloudflare blog explaining and detailing a memory parsing bug, which potentially allowed corrupted web pages to be transmitted to the attackers.
An event like this means that potentially all of the data associated with any website that you’ve saved your password for, you had cookies, authentication or other types of sensitive data, may be compromised.
Three of their services enabled the leak of memory beyond the buffer. Email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites were the only three features that were using a faulty HTML parser chain. They were soon disabled and any further attempts at using this method to get sensitive data is doomed to fail for the would-be attackers.
It’s fascinating to see how quickly the CloudFlare team jumped straight to enabling the best circumstances for fixing this issue. They deployed two cross-functional teams of professionals, one in London and one in San Francisco. They enacted communication with Google to remove any cached HTTP responses that may have held sensitive information publicly. The teams managed to resolve the issue in a record time, just under 8 hours! Compared to the industry standard which allows for up to three months time to be allocated into resolving a bug, one can see how CloudFlare not only cares about its users but also how efficient they are at resolving issues with their service. Kudos to them!
How does this concern me?
Taking a short look at the majority of websites in the ecosystem right now, and you will notice that a rather high percentage of websites implement CloudFlare’s services to mitigate any potential DOS or DDOS attack. Any particular one of these websites is a potential target that can yield tons of sensitive data to an attacker actively abusing the bug. We are talking about authentication tokens, credit card information, passwords, cookies. All of the things that can enable an attacker to gain access to your finances or online privacy.
While the reality is that only a small percentage of the total HTTP requests resulted in a memory leak (0.00003% of total requests), you never know what exactly was leaked or to whom. It seems that nobody managed to take advantage of the situation, but just to be safe an independent caution was released today by Kraken, following the TechCrunch article about the subject.
About 770 User Sessions have been discovered so far. They are undoubtedly compromised. Even though it’s a small number in the vastness of the internet, we urge you to change your passwords on any CloudFlare-supported website that you’ve visited in the last couple of months. This will disable any potential attacks over your online identity and information.