Content delivery network Cloudflare has confirmed the existence of a bug that caused search engines to cache sensitive user data from a variety of well-known apps and websites. Google researcher Tavis Ormandy discovered and reported the bug to Cloudflare, and the company has since fixed the bug and published a detailed blog post about exactly what happened.
According to Cloudflare, the period of greatest impact for the "parser bug" ran from February 13 to February 18, although the extent of the leak stretches back months. The heart of the issue was a security problem with Cloudflare edge servers, which were returning corrupted web pages by some HTTP requests running on Cloudflare's large network.
In what the company referred to as "some unusual circumstances," occasionally private information was returned as well, including "HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data."
To expedite a solution, Cloudflare responded to Ormandy's discovery and turned off three minor features of the network -- email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites -- discovered to be using the same HTML parser chain "that was causing the leakage."
In its blog post, the company said that it has "not discovered any evidence of malicious exploits" in relation to the time that the parser bug was active. It also noted that, while serious, the scale of the bug was still relatively low: around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage. "That’s about 0.00003% of requests," the company noted.
Cloudflare worked with the affected search engines, including Google, Yahoo, and Bing, to erase any remnants of the sensitive data from their caches. The company's chief technology officer, John Graham-Cumming, concluded the blog saying, "We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it."
Earlier this week, it was reported that Apple cut ties with server supplier Super Micro Computer in order to avoid a potential future scenario where user data might be put at risk, similar to Cloudflare's leak. Early in 2016, Apple was said to have discovered a potential security vulnerability in one of Super Micro Computer's data center servers and effectively ended its business relationship with the network company shortly thereafter.
For a technical dive into Cloudflare's parser bug and its origins, check out the company's blog post.
According to Cloudflare, the period of greatest impact for the "parser bug" ran from February 13 to February 18, although the extent of the leak stretches back months. The heart of the issue was a security problem with Cloudflare edge servers, which were returning corrupted web pages by some HTTP requests running on Cloudflare's large network.
In what the company referred to as "some unusual circumstances," occasionally private information was returned as well, including "HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data."
It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.As shared in a tweet by Ormandy this week, that data also included private dating site messages from OKCupid, full messages from a "well-known chat service," passwords from password managing apps like 1Password, and more (via Fortune). In response, some companies -- like 1Password -- have published blog posts confirming that "no 1Password data is put at any risk through the bug reported about CloudFlare."
The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
To expedite a solution, Cloudflare responded to Ormandy's discovery and turned off three minor features of the network -- email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites -- discovered to be using the same HTML parser chain "that was causing the leakage."
In its blog post, the company said that it has "not discovered any evidence of malicious exploits" in relation to the time that the parser bug was active. It also noted that, while serious, the scale of the bug was still relatively low: around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage. "That’s about 0.00003% of requests," the company noted.
Cloudflare worked with the affected search engines, including Google, Yahoo, and Bing, to erase any remnants of the sensitive data from their caches. The company's chief technology officer, John Graham-Cumming, concluded the blog saying, "We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it."
Earlier this week, it was reported that Apple cut ties with server supplier Super Micro Computer in order to avoid a potential future scenario where user data might be put at risk, similar to Cloudflare's leak. Early in 2016, Apple was said to have discovered a potential security vulnerability in one of Super Micro Computer's data center servers and effectively ended its business relationship with the network company shortly thereafter.
For a technical dive into Cloudflare's parser bug and its origins, check out the company's blog post.
Tag: CloudFlare
21 comments
Apple's rumored next-generation noise-canceling AirPods will launch at the end of this month with a new "Pro" moniker and a price tag of around $260, claims a new Chinese-language...
On Tuesday, Apple's Beats brand introduced the new Beats Solo Pro headphones, the company's first on-ear headphones with active noise cancellation. The new $300 headphones don't...
Apple today seeded the second beta of an upcoming macOS Catalina 10.15.1 update to developers, a little under a week after seeding the first beta and a week and a half after releasing macOS Catalina...
A major flaw in Samsung's Galaxy S10 smartphone has been discovered that basically means any fingerprint can unlock the device with the help of a cheap screen protector.
According to the...
Apple has posted the first stats for iOS 13 adoption since its launch on September 19th for iPhone.
Apple shared the statistics on the App Store Developers page which was updated today. Apple...
Apple today released the third betas of upcoming iOS and iPadOS 13.2 updates to developers, just under a week after seeding the second betas and three weeks after the release of iOS 13.1.
iOS...
Quanta Computer will likely stop taking assembly orders for the Apple Watch at some point in 2020 due to profit concerns, and may sell its manufacturing plant in Changshu, China dedicated to...
AnandTech today published its in-depth review of the iPhone 11 and iPhone 11 Pro, including a detailed overview of the processor and graphics performance gains of Apple's latest A13 Bionic chip.
...
