Tuesday, October 15, 2024
HomeHacksCritical Memory leak bug with Cloudflare leaks cookies, authentication tokens

Critical Memory leak bug with Cloudflare leaks cookies, authentication tokens

Published on

Malware protection

Cloudflare, Inc. is a U.S. organization that gives a content delivery network, Internet security services, and dispersed domain name server services, sitting between the customer and the Cloudflare client’s hosting provider, going about as a reverse proxy for sites.

Cloudflare was leaking a wide range of sensitive information, including authentication cookies and login accreditation, the flaw was named Cloudbleed.

Tavis Ormandy from Google’s Project Zero reached Cloudflare to report the security issue with their edge servers.

- Advertisement - SIEM as a Service

The leaked information included “private messages from real dating websites, full messages from a famous chat service, online password manager information, outlines from adult video sites, hotel appointments,” as per Tavis Ormandy.

Their edge servers were running past the finish of a buffer and returning memory that contained private data, such as, HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive information. Furthermore, some of that information had been stored via search indexes.

Period of impact

This bug was introduced in the HTML Parser component on September 22, 2016. Cloudflare resolved the issue on February 18, 2017, after the incident reported by Google security researcher.

The best time of effect was from February 13 and February 18 with around 1 in each 3,300,000 HTTP requests through Cloudflare possibly bringing about memory spillage (that is around 0.00003% of request).

Web crawlers, such as, Google (GOOG, – 0.56%), Yahoo (YHOO, – 0.13%), and Microsoft’s (MSFT, – 0.31%) Bing had accidentally put away released information as a feature of their web crawlers’ caches and CloudFlare group attempting to clean those data.

Root cause of the bug

The root cause of the bug was that achieving the finish of a buffer was checked utilizing the correspondence operator and a pointer was able to step the finish of the buffer. This is known as a buffer overrun.

/* generated code */
if ( ++p == pe )
 goto _test_eof;

The underlying bug occurs because of a pointer error.

Had the check been done using >= instead of == jumping over the buffer end would have been caught,” said Cumming.

Bug Fix Timeline – Cloudflare

  • 2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information 2017-02-18 0032 Cloudflare receives details of bug from Google
  • 2017-02-18 0040 Cross-functional team assembles in San Francisco
  • 2017-02-18 0119 Email Obfuscation disabled worldwide
  • 2017-02-18 0122 London team joins
  • 2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide
  • 2017-02-18 0722 Patch implementing kill switch for cf-HTML parser deployed worldwide.
  • 2017-02-20 2159 SAFE_CHAR fix deployed globally
  • 2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes, and Email Obfuscation re-enabled worldwide.

Also Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Telegram Bot Selling Phishing Tools to Bypass 2FA & Hack Microsoft 365 Accounts

A newly discovered phishing marketplace, ONNX Store, empowers cybercriminals to launch sophisticated attacks against...

Mobile Device Management Vendor Mobile Guardian Hacked

 Mobile Guardian, a leading Mobile Device Management (MDM) vendor, experienced unauthorized access to its...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...