Cloudflare Leaks Passwords and Sensitive Data

Sensitive data including cookies, passwords and API keys have been leaked by the content delivery network Cloudflare, continue reading our article to learn about the incident.

The Cloudflare Leak Dubbed “Cloudbleed”

Security experts and specialized media reports that passwords and sensitive data, including cookies and API keys have leaked from Cloudflare. The company itself announced the news in a detailed post on their blog. At this moment we have not received a confirmed abuse of the data and we hope that such incidents would not happen.

The first reports were made from Tavis Ormandy, a member of Google’s Project Zero who contacted the Cloudflare team to report a security issue with the company’s edge servers. According to his tests HTTP requests running through some of the machines returned corrupted web pages. A further investigation into the matter revealed that the servers responded past the end of the predefined buffer and returned memory dumps which contained private information. Some of the observed data include: HTTP cookies, authentication tokens and HTTP POST bodies among other types of sensitive data.

Fortunately no private SSL keys were leaked and all suspicious SSL connections were terminated. The team responded quickly and shut down three minor Cloudflare features that were using the HTML parser chain which has led to the leak: E-mail obfuscation, Server-side excludes and automatic HTTPS rewrites. Soon after a special cross-functional team consisting of experts in the software engineering, information security and operations fields formed both in San Francisco and London to mitigate any consequences that might arise. The global team has to ensure that the bug is analyzed and any cached information is removed from the search engines which may have indexed the memory dumps. Many of the cloud delivery network’s rely on parsing and modifying HTML pages when they are processed through the edge servers. Cloudflare is used on millions of sites and this means that a lot of requests are done every second.

Ormandy who made the initial discovery found valuable information in the cached data including hotel bookings, passwords from password management services and messages obtained from dating sites. It is fortunate that there are no reports of abuse and that Cloudflare has assembled a global team to counter possible abuse.

Concerned users can change their passwords and other important account credentials if they feel that their data can be a victim of a hacker attack. The leak has been dubbed “Cloudbleed” by some experts.

Cloudflare Affected Sites

We know that some of the affected sites include popular services such as Uber and the dating site OKCupid. Other high-profile services include the 1Password account credentials manager and FitBit. Representatives from 1Password have announced that the exposed data coming from their service should not concern their customers as it is encrypted.

According to the media reports a small number of internally used secret keys that are used by the content delivery network for authentication purposes has also been leaked. The biggest impact was in the period between February 13 – 18 when 3.3 million HTTP requests were conducted through the network. Some of the experts suggest that a memory leak could have occured in this period.

In addition to web sites the security researchers have uncovered that a lot of mobile apps are also affected. From top 3500 iOS ones about 200 are identified as using the Cloudflare network. The list includes the following:

tv.lifechurch.bible, com.yelp.yelpiphone, net.box.BoxNet, com.abcnews.ABCNews, com.nicusa.FBIMostWanted, com.grindrguy.grindrx,
com.fboweb.MyRadar, com.getdropbox.Dropbox, com.crunchyroll.iphone, com.lsn.localwirelessOEM67, com.lsn.localwirelessOEM1005,
com.okcupid.app, com.beenverified.BackgroundChecker, com.fiverr.fiverr, com.sports.iCric, com.allstate.dev.allstate,
com.meetup.iphone, 27W7W2CQJT.RealFlashlight, betterment, com.devhd.feedly, com.stuckpixelinc.wallpapershd2,
com.mixcloud.iphone, com.ultimateguitar.tabsipad, com.cozi.icozi-free, com.cnn.cnnipad,
com.heavydutyapps.sleeppillowfree, com.miniclip.animalshelter, com.copart.membermobile,
com.citrixonline.GoToMyPC, com.finicity.mvelopes, com.graydigitalmedia.wilxnews,
com.graydigitalmedia.wndunews, com.hearstnp.sfgate.ipad.paid, com.westernunion.mtapp,
guitar.lite, com.roblox.robloxmobile, lunosoftware.sportsalerts, com.sayhi.client,
com.masteryconnect.CommonCore, com.77sparx.puzzingo, com.studypadinc.splashmath.ipad.grade3.lite,
com.ibearsoft.moneyforipadfree, ContactsSyncWithGroupsForGmail, com.Design-Menace.Barstool-Sports,
com.theknot.theknot, com.fitbit.FitbitMobile, com.nbcuni.telemundo.deportes, com.ticktockapps.wallhd-10000,
net.rt7.Qriket-Game, com.appadvice.appsgonefree, idans.Ruler, com.fishbrain.app, fr.ftw-and-co.whoozer,
com.thredup.thredup, com.footballaddicts.livescoreaddicts, com.HP.PregnancyiPhonelite, com.emoji.freemium,
com.postmates.getitnow, com.creditkarma.mobile, fr.beinsport.beinsport, com.generamobile.lfpiPhone,
com.quizlet.quizlet, com.dayananetworks.voicerecordpro, tv.yokee.karaoke, org.pac-12.pac12.ios,
com.touchofmodern.tomo, com.checkout51.rc, com.IU.yourmoments, com.zedge.Zedge, mobi.abcmouse.academy,
com.picsart.studio, com.glassdoor.glassdoor, com.rev.revcorder, com.speakaboos.ipad, com.thomsonreuters.Reuters,
com.planner5d.Planner-5D, com.transferwise.Transferwise, com.movile.playkids, com.Drippler.Drippler,
com.djloboapp.djlobo, gov.bbg.ocb, com.mkjigsaw.jigsawcollectionhd, com.fatchicken007.headsupcharades,
lt.manodrabuziai.us, com.microsoft.exchange.iphone, com.microsoft.exchange.ipad, realguitar.tuner,
com.TapMediaLtd.VoiceRecorderFREE, org.getpure.pure-iphone, com.rapgenius.RapGenius,
com.APPSTARME.GTA5CHEATS, com.surfcityapps.endanxiety, com.breitbart.app,
com.touchsoftware.instasize, com.kinedu.kineduapp, com.brainly.us,
com.apalonapps.emojifree, com.apalonapps.ringtones, com.apalonapps.alarmclockfree,
com.imptrax.drivingtest.ultimate, com.productmadness.hovmobile, com.fotostudio.SaveGramFree,
com.elnuevodia.ipad, com.medium.reader, com.disrapp.coinkeeper, com.instasound.InstaSound,
org.voisine.breadwallet, com.vilcsak.bitcoin2, com.vilcsak.bitcoin2, net.peakgames.amy,
com.simpleradio.SimpleRadioFree, com.polleverywhere.mobile, com.countable.countableus,
com.mercariapp.ios.mercari, com.mixerbox.QR, com.monclarity.brainwell, com.mmm.projectcarmen,
com.circle.CircleApp, au.com.metro.DumbWaysToDie2, com.loveyouchenapp.photovault, com.yelp.bizapp,
rschiks.kcc, com.loveyouchenapps.knockout, com.bitpay.copay, com.microsoft.Office.Outlook,
com.23andme.core, com.victorSharov.water, com.worldcraft.dreamisland, com.DealDash.DealDashMobile,
com.airgoat.goat.ios, com.podbean.app.podcast, mediatube.smartselwady.com, com.hammerandchisel.discord,
com.hmhco.curiousworldv2, uk.co.disciplemedia.lukebryan, net.intermarkets.drudge, com.ovulationcalendar.OC,
com.mondsleo.freemusic, com.apalonapps.pdffree, com.rebagg.ios, com.yalla-shoot.Yalla, co.allconnected.vpnmaster,
com.microsoft.groupies-daily, app.walpapers, com.ascellamobile.musicloudfree, com.heavydutyapps.gymWorkout,
com.soundbrenner.metronome, com.fortafygames.colorswitch, com.gs.cookieapp, com.apalonapps.smartalarmfree,
com.tastypill.twistywheel, com.storytree.businessprints, com.ubisoft.horseadventures, com.collage.belka,
com.tastypill.twistyarrow, com.kbornapp.newsfivenightsatfreddy4, com.hypah.io.slither, com.apalonapps.clrbook,
com.kasamba.ios, com.lush.Lush, com.ticktockapps.girlwallpapers, com.beinsports.content,
com.wallpapershdinc.cutewallpapers, com.tapcrew.mysignin, com.landdragoon.sacompanion,
com.windforce.justrolling, com.maddog.rainbowvpn, com.tigrido.color6, com.scancode.qr,
co.longgame.reactnative.app, co.medaistream.pokemap2, io.goradar.radar,
com.outlook.dollyapps.musify-for-cloud, com.appnoxious.hillary, com.mariowolfie.privatebrowser,
com.ml.BreitHedge, com.ifisek.instareportapp, com.doximity.Dialer, cp.view.musicly2,
net.ays.PROD608155, com.kristenducket.musipulfree, com.wpta.reader,
com.bluebelllush.highschoollove2, com.mcb.iplayNew, com.pressmatrix.musikpraxis,
com.joomag.archidom, com.tenelevenitserv.jv, com.H15D.Drawing-Tutorials-Fairies.2,
com.hastudio.hotstar, com.firstwi
reapp.indiafashionblogger, gazisoft.cloudykids,
com.MeetingPlay.WORLEY17, com.tinydragonadventuregames.my.virtual.dragon.pet.shop.baby.talking.story
.city.land.kids.love.little.pony.sims.tamagotchi.pou,
net.ays.PROD618140,
net.ays.PROD622094,
net.ays.PROD615756, com.gorselpanel.board, com.dg.oceanbreezegames.solitaire.elvenwoods.ios,
net.ays.PROD627137, com.nexur.estacaocross.

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *