Cloudflare Leaking HTTPS Data for Major Websites
Ashley Allen / 4 years ago
A security researcher discovered that sites using Cloudflare’s networking services have been leaking data for months, including HTTPS requests, which includes personal messages shared via dating sites and chat services. According to Tavis Ormandy, who works at Google Project Zero, Cloudflare was bleeding HTTP cookies, authentication tokens, HTTP POST bodies, and search engine data caches for months.
“On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn’t match what I had been expecting,” Ormandy wrote. “It’s not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data…but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.”
“It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data,” he explained. “The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare – a major cdn service.”
“A while later, we figured out how to reproduce the problem,” Ormandy added. “It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I’ll explain later). My working theory was that this was related to their “ScrapeShield” feature which parses and obfuscates html – but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.”
Notable sites affected by the issue include dating site OKCupid, genomics company 23andMe, content funding site Patreon, publishing platform Medium, and even 4Chan.
“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy revealed. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,”
After communicating Cloudflare, Ormandy confirmed that the issue has now been patched.