Cloudflare Bug Leak
As reported by Google’s Zero Project Team , Tavis Ormandy – There was leakage of sensitive data like passwords, authentication cookies due to inability to buffer by the Cloudflare Edge Servers. This sensitive data was subsequently cached by search engines like Google,Yahoo and Bing.
Why Cloudbleed Name?
Tavis Ormandy of Google’s Zero Project team name this cloudflare leakage as Cloudbleed naming it after the Heartbleed security incident which occurred in 2014.
Extent of Leakage
There were problems with 3 features of Cloudflare
1. Email obfuscation [Leakage since 13th February 2017]
2. Server-side Excludes [Leakage since 30th January 2017]
3. Automatic HTTPS Rewrites [leakage since 22nd september 2016]
As reported by Cloudflare , 1 in 3,300,000 HTTP requests resulted in potentially memory leakage i.e 0.00003% of requests.
Cause of Leakage
Faulty Ragel Code : The pointer was able to step past the end of the buffer called as buffer overrun.
The Ragel code Cloudflare used contained a bug that caused the pointer to jump over the end of the buffer and past the ability of an equality check to spot the buffer overrun.
The memory being leaked was from a process based on NGINX that does HTTP handling. It has a separate heap from processes doing SSL. Only HTTP requests got leaked.
Cloudflare Bug Fix
With the help of Google, Yahoo, Bing and others, Cloudflare found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines.
Within an hour of reporting the incident, Cloudflare immediately started on fixing the issue and completely solved the Cloudbleed within 8 hours.
Cloudbleed connection with Bitcoin
Since lot of websites use Cloudflare, these also contain some major Bitcoin sites as well like Coinbase, Poloniex and many others.