Memory Leak caused by Cloudflare Exposed their Customer Data
Cloudflare, the popular Content Delivery Network (CDN) trusted by over 5.5 million websites, has warned customers of a recent bug that releases private information to standard search engines. Due to some unusual circumstances, Cloudflare edge servers would run past the end of a buffer and disclose unauthorized data back to users if that data transversed Cloudflare.
While cyber security is always in flux, the most recent bug with Cloudflare, being called Cloudbleed, is one of the worst cases of data breached over the past few years. In fact, many security experts are saying that this bug is as bad as it ever gets because companies using Cloudflare can’t prove to their customer that their private data is secure.
Cloudbleed is a bug in Cloudflare’s HTML parser, and private data of users on any website using Cloudflare potentially exposed data to anyone making an HTTP request. The reason that this bug is so bad is that the modern web is designed to aggressively cache HTTP responses to help with speed for online content.
The scariest part of this entire situation is how easy it would be to access private data. As information was passed through Cloudflare servers, some data might have been leaked from any website using Cloudflare services. No matter if the information was passed through HTTPS, the private data could have been picked up by third-party scrapers and public search engines to be found by anyone searching.
Many of Cloudflare’s services rely on edge servers that parse and modify HTML pages. This type of operation allows Cloudflare to rewrite http:// pages to https://, insert Google Analytics tags, and enable AMP. The parser allowed for real-time modifications to be made to the HTML pages that Cloudflare performs.
While the parser is not the sole culprit for Cloudbleed, it is one of the ingredients that allowed for this to happen. When combined with several other elements private data would leak from buffers on Cloudflare services.