CloudFlare Against CloudBleed, A Bug That Leaked Millions Of Sensitive Data From Its Customers' Websites


CloudFlare is a company that provides a variety of performance and security services to millions of websites. It was revealed that a bug has caused it leak potentially sensitive customer data on the internet.

The bug was first discovered by a researcher at Google Project Zero team Tavis Ormandy on February 17th, 2017, and it could have been around leaking data since as long as September 22nd, 2016.

Ormandy compared the bug to Heartbleed in his report, saying "it took every ounce of strength not to call this issue 'CloudBleed'.

the bug was caused by CloudFlare reverse proxies that in certain condition, it inserted random data from its many millions customers' websites, onto the websites of a smaller subset of customers.

What this means, information about username or password, or even the ride-sharing trip users have made, could end up hidden away on another website's codes.

Some of the leaked data included sensitive HTTP cookies, HTTP POST bodies, login credentials, API keys, authentication tokens and other sensitive data, as well as some of CloudFlare's own internal cryptography keys. And because CloudBleed just threw out those sensitive information to the World Wide Web, some of the leaked cached data was then crawled and indexed by search engines, like Google and Bing.

"Because CloudFlare operates a large, shared infrastructure, an HTTP request to a CloudFlare website that was vulnerable to this problem could reveal information about an unrelated other CloudFlare site," said the CloudFlare's CTO John Graham-Cumming explaining the problem in a blog post.

According to the company, the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through CloudFlare potentially resulting in memory leakage.

He said that there is no indication in CloudFlare's logs or elsewhere that hackers or others have taken advantage of CloudBleed, but the data is out there. While it's outside the grasp of most web users, but for those that are used to crafting specific search engine queries to look for leaked data, the information is there.


A CloudFlare leak CloudBleed probably doesn’t mean much to most internet users. But to more than 5.5 million websites that use CloudFlare, this is certainly a big issue.

CloudFlare also worked with Google and other search engines to remove the leaked data from their indexed database so people won't be able to search and find those data. But still fallout remains.

According to CloudFlare's CEO Matthew Prince, there were about 3,000 customers who have certain HTML on their sites and were running in particular CloudFlare settings were triggering the bug while it was active.

The data that leaked out could go to any CloudFlare customers that happened to be in the server's memory on that particular moment. Prince said that so far, CloudFlare is aware of 150 of its customers whose data was impacted in some ways.

"It's obviously very serious for us, and it's very serious for our customers," he said. But he added that the chances of this impacting others is relatively minimal. "We don't like screwing up. It hurts. I don't want to downplay the severity of this. It was a very bad bug."

To mitigate any risk that remains, CloudFlare suggested that customers using its services to change their password for every online account they have. This is because the CloudBleed leak could have exposed about anything.

Using standard security measures like updating passwords and enabling two-factor authentication is always the best first line of defense.

After realizing the bug, CloudFlare acted quickly to address the issue. The company rolled out a preliminary fix in less than an hour later, and permanently fixed and patched the flaw across its systems in less than a week later.