Popular middleman web service Cloudflare has been hit by a serious security flaw, admitting that it has been leaking information from clients' TLS-protected traffic over the past few months.
Designed primarily as a content delivery network (CDN), Cloudflare offers its customers a range of services from protection against distributed denial of service (DDoS) attacks through to analytics. Sitting between a visitor and the actual web server, Cloudflare caches content and can also decrypt then re-encrypt TLS protected traffic or even decrypt the traffic altogether and send it on to the target server unprotected, leaving the visitor with the false impression that the traffic is fully protected on its journey. While that's a potential security issue affecting those who don't offer HTTPS connectivity on their webservers, Cloudflare users have been hit with a more serious flaw: information leakage even when using TLS protection.
Discovered four days ago by Google Project Zero member Tavis Ormandy, the flaw is major. 'If an HTML page hosted behind CloudFlare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialised memory into the output,
' Ormandy explained of his findings in his bug posting
. 'My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates HTML - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers. We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users.
The data gathered are the sort of thing that should definitely not be public knowledge: private keys for encryption systems, plain-text passwords, and even scraps including private messages from dating sites. With Cloudflare protecting some major websites - including two-factor authentication service Authy.com, hosting site Digital Ocean, dating site OKCupid, crowdfunding site Patreon.com, notorious Bittorrent tracker The Pirate Bay, and even Transport for London's official website - the flaw is widespread and severe.
Cloudflare, for its part, responded to the problem quickly and has since taken down the affected services in order to restore security to its users. It's possible, however, that anyone using any of the affected sites had personal information leaked - leaving members of an estimated 4,300,000 domains needing to change their passwords in order to ensure they remain secure.
Cloudflare has published a post-mortem on the bug
, which may have been active since mid-2016. Both Cloudflare and Google have resisted giving the flaw a name, though Ormandy joked that 'it took every ounce of strength not to call this issue "cloudbleed,"
' in reference to the earlier Heartbleed vulnerability - ensuring, naturally, that the media immediately started calling the issue Cloudbleed and a pseudonymous designer contributed the logo used to illustrate this article.