Google Just Discovered A Massive Web Leak and You Might Want To Change All Your Passwords

A Google researcher uncovered the most worrying web leak of 2017 so far, possibly exposing password, private messages and other sensitive data of customers belong to Uber, FitBit, and OKCupid.

It is named as CloudBleed by some because the problem was caused by a vulnerability in code from hugely popular web company, CloudFlare and was not dissimilar to infamous Heartbleed bug of 2015. It is quite similar to Heartbleed in which at least 2 million websites was returning random chunks of memory from vulnerable servers when request come in.

Making the issue even more severe was the fact that the search engines were caching that leaked information. Another major concern was CloudFlare typically hosts content from different sites on the same server so request to one vulnerable website could reveal information about other domains on CloudFlare too.

“For example, you could have visited a page on, and a chunk of memory from a previous request/response to would be returned,” explained Pen Test Partners whitehat hacker Andrew Tierney. “This sensitive data could have been returned to anyone. There was no need to carry out an active attack to obtain the data – my mum may have someone else’s passwords stored in her browser cache just by visiting another CloudFlare fronted site.”

Famous Google bug hunter Tavis Ormandy uncovered the issue, describing it in a brief post, noting that he informed CloudFlare of the problem on February 17. In this try, he was able to have the server return encryption keys, passwords and even HTTPS request of other users from major CF hosted sites.

Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc.

— Tavis Ormandy (@taviso) February 23, 2017

In a later post, he found the issue to be even more severe:

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Ormandy wrote that CloudFlare sent him a draft post that “severely downplays the risk to customers,” though he didn’t say what he thought about the final public notification that went out Thursday. In that post, CloudFlare wrote: “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through CloudFlare potentially resulting in memory leakage (that’s about 0.00003 percent of requests).” It admitted that the earliest date memory could have leaked was September 22 2016. CloudFlare also said one of its own private keys leaked, one for internal machine-to-machine encryption.

A large list of CloudFlare websites has been uploaded to GitHub, though it’s not clear just which ones leaked any data (another list found a handful of affected domains). The user who posted the Github list still recommended users of all those sites change their passwords as a precaution. Security entrepreneur Ryan Lackey recommended the same, though noted it was unlikely the average web user’s password was in danger of being stolen.

What’s the CloudBleed bug?

The problem lay in the way CloudFlare parsed and modified web pages when a user hit the site. When certain data was sent to the server, it would fail to parse the information properly and cough up sections of memory, jumping over the “buffer” designed to keep secret info secure. That memory might have contained sensitive data, like passwords or private communications.

Ormandy found the issue by firing a load of junk data at CloudFlare servers, a process called “fuzzing.” In some cases, he received responses that contained information from memory. He could then easily replicate the process to guarantee that sensitive information would be returned.

CloudFlare, Google and other search engine providers have been scouring the web looking for sites that may have leaked information via the CloudBleed bug. They found 161 unique domains where leaked memory had been cached by the search engines, and that data has now been purged. “We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything,” CloudFlare added.

SEE ALSO: Hacker Leaks iPhone Cracking Tools Used By The FBI

Regardless of that cleanup and the continuing efforts of CloudFlare to remove the bug from its customers’ servers, Google security researchers like Natalie Silvanovich believe the ultimate impact might be severe.

tl;dr there’s no guarantee that private message you sent on OkCupid isn’t on the public internet somewhere

— Natalie Silvanovich (@natashenka) February 23, 2017

UPDATE Uber says that the impact on its service was very limited. Only a handful of user session tokens were leaked, which could have allowed access to those particular accounts, and they’ve now been changed. Passwords were not exposed.

An OKCupid spokesperson said much the same: “CloudFlare alerted us last night of their bug and we’ve been looking into its impact on OkCupid members. Our initial investigation has revealed minimal if any, exposure. If we determine that any of our users has been impacted we will promptly notify them and take action to protect them.”

SEE ALSO: Meet the Corsair One ‘category-defying’ gaming PC debut

FitBit said it was investigating, adding that concerned users can change their account password whenever they wanted. It’s encouraging anyone who believes they had an issue to send an email to [email protected]

Keep in mind, however, that companies may not be able to determine how, when or how many times data was leaked into people’s browser caches, or if any attacks took place. CloudFlare could provide some idea of the total impact, though.

CloudFlare CEO Matthew Prince told FORBES that the company had logs for requests that triggered the bug. He said that during the five-day period between February 13 and February 18, every day there were approximately 100,000 requests for the affected 3,500 pages. That meant roughly 500,000 connections could have caused data to leak. For each customer, only “relatively small amounts of data” were leaked. That information was passed onto customers so they could determine the impact.

He explained that the higher traffic customers were more at risk of leaking information. Because customers of CloudFlare share servers, when the vulnerability was triggered it would leak whatever random memory was passing through the system at that time. That would more often be for sites that get more visitors.

As Prince noted, this problem could have been far worse if Google hadn’t issued an alert. “I think we dodged a bullet there,” he added. “[Malicious hackers] could have made hundreds of millions of requests to those pages and pulled a lot of data.”

- Advertisement -
c5d094d2086cdf56ad5c1380e5317d2e?s=96&r=g - Google Just Discovered A Massive Web Leak and You Might Want To Change All Your Passwords
Adeel Younas
Editor-in-Chief at TechWafer (previously The Tech) an Entrepreneur, Blogger, Developer, and Freelancer.

Recent Articles

5 Best Laptops for Hackintosh in 2020 Under 1500 USD

Are you looking for the best Hackintosh computer? Don't worry, as we have entirely resolved your problem. It is a complete buying guide prepared...

Huawei releases its 2019 Annual Report

Huawei announces solid business performance and commitment to creating greater value for customers and society

TECNO #CamonShow” Campaign Created Stir on TikTok

Globally acclaimed smartphone brand, TECNO, has collaborated with TitTok for its #CamonShow challenge. Its goal is to boost the profile of newly launched Camon...

Vivo Extends the Warranty of its Smartphones in Pakistan

In the wake of current COVID-19 outbreak, following the government directives Vivo, the global smartphone brand has closed all of its service centres in...

Best Laptops for Hacking and Hackers in 2020

This blog will guide white hat hackers in buying powerful laptops to pursue their hacking-related tasks. A hacker needs to perform variously on the...



Leave A Reply

Please enter your comment!
Please enter your name here