Cloudfare informed it’s clients that it has not found any evidence of the recently discovered memory leak being exploited for malicious purposes before it was patched. Google Project Zero researcher Tavis Ormandy has been credited for the discovery of the bug on the 17th of February. Ormandy jokingly considered the idea of calling it Cloudbleed since it has some similarities with HeartBleed and the name stuck.
The company determined that the bug caused its edge servers to run past the end of a buffer and return memory that contained potentially sensitive information that included cookies and authentication tokens. Ormandy also found out that the leaked data contained passwords, private messages from dating sites, encryption keys, IP addresses, HTTPS requests and chat messages.
The flaw, which was introduced back in September 2016 had the greatest impact between the 13th of February and the 18th 2017 when one in every 3.3 million requests that were going through Cloudflare’s systems may have resulted in memory leakage. Despite the bug being addressed in hours, it took several days for the incident to be contained since the leaked data had already been cached by search engines.
The Cloudflare co-founder and CEO Mathew Prince said that although the bug was extremely serious due to its potentially massive impact, an analysis of the logs showed that there was no evidence of malicious exploitation, adding that majority of the customers were not affected.
Prince said that if a hacker was aware of the bugs existence before it was patched and they tried to exploit it, then the best way for them would have been to send as many requests as possible to a page that contained the set of parameters that would trigger the bug, adding that they could then record the results. Consequently, most of what they would have access to would be useless, although some would contain very sensitive information.
Prince also said that CloudFlare’s biggest worry was whether a hacker had been aware of the bug’s existence and hence had been quietly mining data before they were notified by Google’s Project Zero team after which they patched it.
Cloudflare has not identified any instances where the leaked memory included passwords, card numbers, customer encryption keys, or health records. However, Ormandy believes that the CloudFlare downplayed the risk since he found passwords in the leaked data.
Prince said that it’s not correct to conclude that no credit cards, passwords, health records, social security numbers, or customer encryption keys were exposed. He however pointed out that based on the data that they have reviewed; the exposures were not widespread.
There’s a list of potentially affected websites and a simple Chrome app for Mac that have been made available for users who are concerned that their data may have been exposed.