*** Welcome to piglix ***

Cloudbleed


Cloudbleed is a security bug discovered on February 17, 2017 affecting Cloudflare's reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

As a result, data from Cloudflare customers was leaked out and went to any other Cloudflare customers that happened to be in the server's memory on that particular moment. Some of this data was cached by search engines.

The discovery was reported by Google Project Zero team.Tavis Ormandy posted the issue on his team's issue tracker and said that he informed Cloudflare of the problem on February 17. In his own proof-of-concept attack he got a Cloudflare server to return "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

In effects, Cloudbleed is similar to the 2014 Heartbleed bug in allowing unauthorized third parties to access data in the memory of programs running on web servers, including data shielded by TLS. The extent of Cloudbleed also could have impacted as many users as Heartbleed since it affected a security and content delivery service used by close to 2 million websites.

Tavis Ormandy, first to discover the vulnerability, immediately drew a comparison to Heartbleed, saying "it took every ounce of strength not to call this issue 'cloudbleed'" in his report.

On Thursday, February 23, 2017, Cloudflare wrote a post noting that:

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).


...
Wikipedia

...