News

Cloudflare Leaking HTTPS Data for Major Websites

A security researcher discovered that sites using Cloudflare’s networking services have been leaking data for months, including HTTPS requests, which includes personal messages shared via dating sites and chat services. According to Tavis Ormandy, who works at Google Project Zero, Cloudflare was bleeding HTTP cookies, authentication tokens, HTTP POST bodies, and search engine data caches for months.

“On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn’t match what I had been expecting,” Ormandy wrote. “It’s not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data…but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.”

“It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data,” he explained. “The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare – a major cdn service.”

“A while later, we figured out how to reproduce the problem,” Ormandy added. “It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I’ll explain later). My working theory was that this was related to their “ScrapeShield” feature which parses and obfuscates html – but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.”

Notable sites affected by the issue include dating site OKCupid, genomics company 23andMe, content funding site Patreon, publishing platform Medium, and even 4Chan.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy revealed. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,”

After communicating Cloudflare, Ormandy confirmed that the issue has now been patched.

Ashley Allen

Disqus Comments Loading...

Recent Posts

Trust Gaming GXT 609 Zoxa 2.0 PC Speakers

SOUNDS GREAT – Full stereo sound (12W peak power) gives your setup a booming audio…

4 hours ago

PowerA Wired Controller for Nintendo Switch

Special Edition Yoshi design Ergonomic controller shape with Nintendo Switch button layout Detachable 10ft (3m)…

4 hours ago

Logitech G Saitek PRO Flight Rudder Pedals

Fluid Motion: These flight rudder pedals are smooth and accurate that enable precise control over…

4 hours ago

Logitech G Saitek Farm Sim Controller

Heavy Equipment Bundle: Includes a steering wheel for heavy machinery, gas and brake pedals, and…

4 hours ago

Razer Ornata V3 X – Low Profile Gaming Keyboard

Low-profile Keys for an ergonomic gaming experience. With slimmer keycaps and shorter switches, enjoy natural…

4 hours ago

Glorious Gaming Model O Wired Gaming Mouse

Size & style: Ambidextrous lightweight mouse for gaming. Built for speed, control and comfort, with…

4 hours ago