Last week the world learned that Cloudflare servers have been leaking data for as long as five months. Before this, Cloudflare already had its share of controversy. In 2013, they were accused in a roundabout way of giving aid and comfort to the enemy because nefarious websites were found to use their service. Cloudflare’s CEO Matthew Prince responded in a blog post, “Cloudflare and Free Speech.” He argues that it is not Cloudflare’s role, or place to evaluate and police content on the websites that pass through their servers. Cloudflare has a good case. Again, in 2015, the hacking group Anonymous made the claim that Cloudflare was “helping” ISIS because they found ISIS related sites also using Cloudflare. The Cloudflare CEO called the claims “Absurd,” and in a way, he’s right. When we find out that ISIS terrorists use iPhones, we don’t think Apple is helping them. While the claim that Cloudflare “supports” ISIS is absurd, in light of the data breech, it may matter that Cloudflare is so widely used by an unvetted range customers.
What is Cloudflare?
Cloud flare is designed to serve up your content quickly to the right people while blocking the people with ill intent, including DDoS (Distributive Denial of Service) attackers. To do that, Cloudflare sits between a server and its users and controls and monitors the traffic. Last week Cloudflare publicly admitted that their servers had been leaking data. It was not a hostile attack, but a flaw in the Cloudflare system creating the breach.
Tavis Ormandy, a white hat hacker from Google’s Project Zero discovered the leak. Project Zero is a Google division searching for new vulnerabilities on the web. Ormandy found the problems while analyzing Google search results. He found raw data from unrelated websites appearing in searches for other sites. He figured out that Cloudflare was leaking data between its customers’ sites.
That’s just a scary as it sounds. Site A’s information showed up as raw data on Site B’s results. Great steps are taken to isolate one site from another on a shared server, and security experts employ measures, both hardware and software to avoid exactly this sort of attack from succeeding, and in that regard, Cloudflare gets respect. Since this was not an outside attack, Cloudflare never detected the leak. To way oversimplify, when the Cloudflare servers had a buffer overrun (too much data in one place, at the same time) some extra data leaked out. The leaks were discovered because search engines cached the extra information, which is where Ormandy found it.
Cloudflare has tried to downplay the breech. In a statement, Cloudflare described the “greatest period of impact” as from February 3, 2017 to February 18, 2017, just 15 days. The devil is in the details. They said “greatest,” not only period. We now know that data had been leaking since September 22, 2016, almost five months. Cloudflare suggests one out of every 3.3 million requests leaked. It sounds low, but the Internet is a busy place. Daily requests to Google alone exceed 4 billion. Many popular sites use Cloudflare; with all of those sites’ daily traffic flowing through Cloudflare servers; it is much more than a few leaks.
Cloudflare stated, “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.” Read this carefully. They are not saying it didn’t happen, or won’t in the future, just that they did not discover any evidence. They did not mention how hard they looked for “malicious exploits.”
This is where Cloudflare’s unvetted roster of users has significance. The conventional wisdom is that this was not calamitous. Still, since data was leaking from one site, while accessing another, any user of a Cloudflare protected site may have gotten the private information. There could have been dire consequences if a few of those users, with less than honorable intent, realized what they had been served. Since we know there is no check on who uses Cloudflare, it is not a stretch to think that data has fallen into hands likely to exploit it. The data leaked includes cookies, authentication tokens, HTTP post bodies, and user data. Tavis Ormandy noted, “We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users.”
Time to Panic?
Probably not. Still, this is serious business. Even Buzzfed, the kings of fluff, are suggesting “If you have or had accounts on Fitbit, Uber, OkCupid, Medium, or Yelp, you should probably change your passwords.” Many more sites than those few are involved. The short list of sites probably breached includes, authy, patreon, okcupid, fitbit, medium, 4chan, yelp, zendesk, uber, thepiratebay, pastebin, discordapp, change.org, feedly, nationalreview, petapixel, and tineye. There are many, many more. If you enjoy horror films, check the list of Cloudflare sites on Github.
In the short term, updating your passwords is an excellent idea, actually a good idea every few months even without breaches. If your site uses Cloudflare, it’s time to clear all session data. It is also prudent to require your site members to change their passwords, and absolutely change your admin level passwords. While the Cloudflare leak probably isn’t the end of the world, security wise, it does raise one long-term caution about the users on shared servers.
As more and more of the world is virtualized, and more and more of that virtualization is on large, publicly shared servers, perhaps the Cloudflare policy of allowing access without a scrutiny is outdated. No one is claiming that Cloudflare was negligent. Perhaps it is just not possible to isolate sites sharing the same space. Breaches may come from human error, failure, or attacks. If recent history has shown anything, it’s that there will be leaks. In this case the leak was across domains, but sent out publicly. Ormandy found it in Google’s public search results. Had he not, Cloudflare still may not have discovered the breach. Had the information leaked from one domain to another, the fate of the leaked domain and its users would have been in the hands of the owners of the domain receiving the leaks. This incident asks if it might be time to consider which other clients are using or passing through the same servers where your cloud is parked. When you live in a gated community, the greatest vulnerability is from your neighbors.
As it has since 1976, Frontier Computer Corp. can provide IT hardware and enterprise computing solutions. We have experts who can identify the best, safest cloud or physical storage for your data.
Contact FrontierUS at 866.226.6344.
Frontier Computer Corp. is a leader in providing IT solutions worldwide.
