March 9, 2017
By Brett Johnson, Cybercrime/Identity Theft Consultant, AnglerPhishSecurity.com
“Cloudbleed.” That’s what they are calling it. It is the biggest Web security breach of the year. Only three months into 2017, Cloudbleed might be the biggest breach of the entire year due to the number of sites and customers potentially affected.
“Cloudbleed” is the name given to the recently discovered security breach of Cloudflare. Cloudflare is a CDN (Content Delivery Network). It hosts a Website’s static content on its servers and this static content is then served to that Website’s visitors. The result is much faster access to a site using Cloudflare while also providing a variety of internet security services.
So what happened? Cloudflare was leaking customer information. Well, “leaking” isn’t really the right word. It was much more serious than a leak. It was a deluge. Private messages, full chat logs, password manager data, hotel bookings, adult Web frames, https requests, session tokens, cookies, IP addresses, passwords, keys, data—EVERYTHING—was leaked by Cloudflare to random requesters between September 9, 2016 and February 18, 2017. Additionally, the data was cached by search engines and may have been collected by countless criminals over those five months.
The data leak was the result of a bug with Cloudflare sites using email obfuscation (hiding email addresses from bots), server-side excludes (hiding sensitive content from suspicious visitors), and Automatic HTTPS Rewrites (safely rewriting links to unencrypted resources from HTTP to HTTPS). Only requests from sites using those features leaked data. The problem is the leaked data wasn’t necessarily from those same sites. The leaked data could have been from ANY site using Cloudflare caching. What does that mean? It means there are 4,287,625 possibly affected domains 1. Got your attention yet?
Tavis Ormandy, a researcher with Google’s Project Zero Team noticed the bug and alerted Cloudflare to it on February 17. Cloudflare subsequently deactivated those three features which were causing the bug.
Cloudflare issued a statement attempting to minimize the public perception of the impact. Cloudflare CTO John Graham-Cumming said, “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines…We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.” 2 Cloudflare goes on to state, “The greatest period of impact was from February 13 to February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).” 2
That’s three hundredth-thousandths of 1 percent chance of memory leakage. Impressive. It certainly seems very improbable that much data would be leaked. Of course, what Cloudflare doesn’t mention is that 0.00003 percent actually results in 100,000 to 200,000 pages of private leaked data EVERY DAY. And that is just the number that Cloudflare recognizes through RANDOM generation. We still don’t know if any online criminals might have mined Cloudflare for data before Tavis Ormandy found the bug.
Cloudflare has taken the tactic used by countless other companies and organizations when security is compromised and data is released. They have chosen to minimize. The public is given the comforting 0.00003 percent figure without explanation of what it actually means. Or the public is told the bug only affected sites employing email obfuscation, server-side excludes, and Automatic HTTPS Rewrites without fully explaining it also affected close to 5 million other sites not using those features. The result is a public that might not be fully aware as to the seriousness of the Cloudbleed breach because of the misleading statements issued by Cloudflare itself.
It’s serious. It is so serious that one cannot really overstate the problem. The risk to customers is immense. Whether you are a business owner, visitor, subscriber, or customer of a site connected with Cloudflare, you need to make sure you are not in danger of being compromised.
What to do:
Vendors and sites need to reset all session tokens. Response data was leaked more than request data. Responses generally have session tokens instead of passwords. Users need to log out of all active sessions. Sites may be compromised in the near future because of data found in search engines caches. As such, resetting session tokens should be done weekly for the next few weeks to ensure security. Users should also log out of all active sessions consistently. If you are a user of a Website which doesn’t have the option to log out of an active session, contact the site and demand they rotate session tokens.
Cloudflare stated it and it bears repeating: CHANGE ALL PASSWORDS. Do not use the same password for multiple sites. Do not use easy to guess passwords or common phrases. This includes if you use a password manager. Password managers were part of the affected sites of Cloudbleed. Change every password immediately. Rotate API Keys, secrets, and enable two-factor authentication on important sites.
Yes, this leak is that serious. ALL Cloudflare proxy customers were vulnerable. An admitted 100,000 to 200,000 pages of private data was leaked daily. Because of the nature of the data released, any number of crimes could be committed.
Leaked data is easily used to take over accounts. Thieves love using existing customer user logins for various sites. It allows the criminal to pass as an existing valued user. Take over the account, age it properly and viola! Successful crimes committed.
Financial accounts can also be taken over and drained of their funds. Several sites on Cloudflare operate in the financial industry. The data from those sites was also vulnerable. There is no worse feeling in the world for your customers than waking up one morning and finding out their accounts have been drained.
Dating site data was leaked. Private messages were leaked. Entire chat logs were leaked. Porn site frames were leaked. Prime blackmail territory, considering personal information was leaked as well.
Identity theft in a breach like this is a given. Whether enough information was leaked to enable a thief to commit ID fraud, or just allow him to build a better profile of a target is debatable. Regardless, the data would be welcomed by criminals.
That’s a sampling of what can be done with this data if it gets in the wrong hands. Take it from a former cybercriminal. Data like this almost always ends up in criminal networks. Failure to take the precautions mentioned only helps the bad guys.
Brett Johnson is a former hacker, fraudster and U.S. Most Wanted criminal. As a founder of Shadowcrew.com, one of the first, most influential and most notorious online marketplaces for cybercriminals to buy, sell and trade stolen information and learn about effective fraud techniques, Johnson has been at the epicenter of cybercrime for nearly two decades. Under the handle “Gollumfun,” he helped design, implement and refine card-not-present fraud, account takeover fraud, identity theft and many other forms of attacks e-commerce merchants and banks still struggle with today. Johnson will deliver the keynote address at the 2017 CNP Expo and be available for a merchant-only session on May 23, 2017. Click here for more information on Johnson and the CNP Expo.
- Identifying and Preventing ATOs and New Account Creation Fraud
- PCI and CNP: How to Spell Security
- Preventing Fraud Without Payment Card Data, Public Records or With Strict Privacy Laws