News

Cloudflare Leaking HTTPS Data for Major Websites

A security researcher discovered that sites using Cloudflare’s networking services have been leaking data for months, including HTTPS requests, which includes personal messages shared via dating sites and chat services. According to Tavis Ormandy, who works at Google Project Zero, Cloudflare was bleeding HTTP cookies, authentication tokens, HTTP POST bodies, and search engine data caches for months.

“On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn’t match what I had been expecting,” Ormandy wrote. “It’s not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data…but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.”

“It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data,” he explained. “The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare – a major cdn service.”

“A while later, we figured out how to reproduce the problem,” Ormandy added. “It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I’ll explain later). My working theory was that this was related to their “ScrapeShield” feature which parses and obfuscates html – but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.”

Notable sites affected by the issue include dating site OKCupid, genomics company 23andMe, content funding site Patreon, publishing platform Medium, and even 4Chan.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy revealed. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,”

After communicating Cloudflare, Ormandy confirmed that the issue has now been patched.

Ashley Allen

Disqus Comments Loading...

Recent Posts

Still Wakes the Deep 

LIVE THE HORROR: An immersive disaster story aboard a stunningly realised North Sea oil rig,…

1 hour ago

PHILIPS 275V8LA – 27 Inch QHD Monitor

The Philips VA LED display uses an advanced multi-domain vertical alignment technology that gives you…

1 hour ago

EPOMAKER Ajazz AK820 Pro 75% Gasket-mounted Mechanical Keyboard 

【TFT Screen: The Interactive Interface】This 75% mechanical keyboard comes equipped with a TFT Screen, serving…

1 hour ago

Funko Fusion

FANDOM FUSION Play as your favorite characters and wield their unique weapons and skills. Team…

1 hour ago

Shin Megami Tensei V: Vengeance Standard Edition

The Definitive Version of Shin Megami Tensei V - Fully evolved with stunning visuals for…

1 hour ago

Hand Warmers Rechargeable 2 Pack

【Unique Split Design】5200mAh hand warmers rechargeable together with double-sided heating function, split snap swivel design,…

1 hour ago