Scrapbook 2 - Cloudflare Bug Exposes Unintended Information
Massive Bug May Have Leaked User Data From Millions of Sites. So … Change Your Passwords by Lily Hay Newman of Wired (PDF archive)
Summary
Many large name websites, like Fitbit, Uber, and OkCupid, were utilizing Cloudflare's SSL certificates for their website security. Cloudflare had a major vulnerability exploited that caused requested endpoints to return additional data in the response from other websites. Cloudflare acts as a middleman when performing requests. So, when a request is made to a website behind Cloudflare, it passes through Cloudflare at the time of the request and at the response. The bug exploited from requests that returned HTML and the issue was in their parser. If a website response was HTML and there were mismatched HTML tags, Cloudflare would incorrectly parse the HTML and return additional information from its cache. This cache could contain any set of data from any other request. While the results could vary, they were cached in search engines like Google and Bing. Cloudflare worked quickly to resolve the bug, but the data was still cached for some period of time in these websites (or search engines) that scrape website information. This was a very serious issue that may have impacted a large number of users.Reason Chosen
The Cloudflare "Cloudbleed" vulnerability was very big news recently and really highlighted the issue of using a third-party service to take care of a website's security. The impact was also large and they were unsure of who all would be impacted by this.At my work, particularly, we had clients that were utilizing this service and it sent some of my coworkers into a bit of a frenzy. Not all of our clients use this service so it didn't impact many of us but it was extremely relevant and discussed a lot. It was also a good reminder to really take into consideration what third-party services are being used for and if using them is really in the best interest of the website users.
Ethical Implications and Personal and Social Values at Stake
This situation highlights the kinds of problems that can occur outside of the scope of a single code base when relying on third-party providers to handle security for your website. As a company needing to handle SSL certificates, passing this responsibility off to another is an ethical issue when one needs to be concerned about protecting their user data. Users are trusting the websites they utilize to do this and do it well. It's troubling to know that so many websites were utilizing this feature and that such a small issue can cause such a large problem for individual people.
This GitHub Gist has a list of websites that were using Cloudflare and it was recommended that users change their passwords for all of them.
This GitHub Gist has a list of websites that were using Cloudflare and it was recommended that users change their passwords for all of them.
Source Credibility
Wired is a well-known, technology-focused magazine based in San Francisco, California that has been active since 1993. They provide detailed articles surrounding relevant issues in technology.Lily Hay Newman is a Security Staff Writer for Wired and has previously worked at other notable magazines and news organizations.
