Cloudbleed Post-Mortem: 1.2 Million Leaks, But No Evidence of Exploitation
Cloudflare has said that the investigation into mass leaking of encrypted browsing sessions confirmed that the bug was triggered over a million times before it was fixed last week. However, the company hasn’t found any evidence (based on the analyzed sample) of it being exploited for malicious purposes before it was patched.
Massive data leak, but no evidence of exploitation
Last month, a bug was discovered by Google Project Zero team in Cloudflare that revealed that a typo in the source code of a Cloudflare component led to the exposure of the personal information of users of over 3,400 websites. Popular services like Uber and OKCupid were affected by this memory leak, also being known as “Cloudbleed.”
“The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notified by Google’s Project Zero team and were able to patch it.”
The flaw was reportedly first introduced in September 2016, with greatest impact between February 13 and February 18. While the bug was addressed within hours of being reported by Google, it took several days for Cloudflare to contain the incident since sensitive data was cached by Google, Bing and other search engines. Over 80,000 unique cached pages have been removed since the flaw was discovered.
Between 22 September 2016 and 18 February 2017 we now estimate based on our logs the bug was triggered 1,242,071 times.
“Given the scale of Cloudflare, the impact was potentially massive,” Matthew Prince, chief executive of the networking giant, wrote in a lengthy blog post. “For the last twelve days we’ve been reviewing our logs to see if there’s any evidence to indicate that a hacker was exploiting the bug before it was patched. We’ve found nothing so far to indicate that was the case,” Prince assured.
Restoring trust after Cloudbleed
Cloudflare is a massive networking giant that provides website infrastructure, content delivery, and security to millions of websites. In his discovery, Project Zero researcher Tavis Ormandy had said that the leaked data included passwords, encryption keys, messages from dating sites, chat messages, IP addresses, and HTTPS requests. Ormandy had also added that Cloudflare is downplaying the exposure.
Prince agreed with the severity of the issue, explaining the bug caused its edge servers to run past the end of a buffer and return memory that contained potentially sensitive information. In his detailed blog post, however, Prince tried to restore trust in Cloudflare’s services, saying that the company hasn’t found “any passwords, credit cards, health records, social security numbers, or customer encryption keys in the sample set.” It did discover “a large number of instances of leaked internal Cloudflare headers and customer cookies.”
He did add that “since this is just a sample, it is not correct to conclude that no passwords, credit cards, health records, social security numbers, or customer encryption keys were ever exposed.”
If there was any exposure, based on the data we’ve reviewed, it does not appear to have been widespread.