Cloudflare Memory Leak Exposes Private Data

Cloudflare, a content distribution network used by many popular sites, published detailed information about a security vulnerability that leaked user information, some of which was private, including passwords, private messages, etc. The vulnerability was discovered by security researcher Tavis Ormandy, a member of Google’s Project Zero team.

The issue stems from a memory leak in an HTML parser named cf-html that was created to replace an older parser based on Ragel.

“It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used,” John Graham-Cumming, Chief Technology Officer at Cloudflare said. “Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself.”

The earliest date information was leaked was September 22nd, 2016 when Automatic HTTP Rewrites were enabled. This was the first of three features introduced that used the parser. The other two are email obfuscation and Server-side Excludes.

The greatest period of impact was between February 13th and February 17th. The leaked information ended up in publicly available cached webpages. Cloudflare worked with major search engine providers to have the cached pages scrubbed before publicly announcing details of the bug.

“With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory,” Graham-Cumming said. “Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines. We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.”

1Password is Not Affected

Earlier reports indicated that 1Password was among the sites affected. Jeffrey Goldberg, a 1Password employee, assured users that the Cloudflare data leak does not affect 1Password.

“At the moment, we want to assure and remind everyone that we designed 1Password with the expectation that SSL/TLS can fail,” Goldberg said. “Indeed it is for incidents like this that we deliberately made this design.”

“No secrets are transmitted between 1Password clients and 1Password.com when you sign in and use the service. Our sign-in uses SRP, which means that server and client prove their identity to each other without transmitting any secrets. This means that users of 1Password do not need to change their Master Passwords.”

Change Your Passwords

Nick Sweeting has used a number of web scrapers to compile a list of sites that use Cloudflare. The list is available on GitHub and currently contains 4,287,625 domains that are possibly affected. Popular domains in the list include:

  • authy.com
  • coinbase.com
  • digitalocean.com
  • patreon.com
  • bitpay.com
  • news.ycombinator.com
  • producthunt.com
  • medium.com
  • 4chan.org
  • yelp.com
  • okcupid.com

The bug also affects mobile apps as HTTP header data for apps such as Discord, FitBit, and Uber have been discovered in search engine caches. NowSecure published a list that includes 200 iOS apps that use Cloudflare services.

Users are strongly encouraged to change their passwords regardless if a site uses Cloudflare or not. Those who use Cloudflare should generate new API keys and consider forcing a password change to users.

Two factor authentication should be enabled where possible so that the password is not the only credential needed to access an account. Mobile users should log out of mobile applications and log back in to create a new active token. To force all users on a WordPress site to logout and re-login, WPStudio recommends changing the salt keys in wp-config.php.

Although major search engines are actively scrubbing cached pages, the leaks have been occurring for at least four months. There’s no telling who may have already scraped those pages and archived the data. There’s also the possibility that someone discovered the vulnerability before Ormandy and has been parsing cached pages for months. This is why it’s important that at a minimum, you change your passwords.

9 Comments


  1. I’m using the salt shaker plugin that automatically changes wordpress security keys and increases security.

    Report


      1. ​I’m using it recently, and it’s very effective, I change the weekly WP security keys … it’s a little known plugin, around 100 downloads, but current … I believe it will now get better known …​

        Report


      2. Is it really necessary to change salts every week?
        I didn’t check the plugin code but what if one day it sends the salts to someone?

        Report


  2. Hey,

    In the email I received they explained that the memory leak was due to their misimplementation of the Ragel parser…

    Not the cf-html parser. They stayed that the cf-html parser had been checked thoroughly and was okay, but the changeover exposed the problem with their old implementation.

    Report


  3. lol will retract that, that is really bad bug on cloudflare side, but for sure the most dangerous way to reset passwords is by changing the salts, and obviously it will not be enough if actual passwords were leaked

    Report


    1. And only just one more layer … there are other security factors to be implemented … with 2 factors authentication … in my case .. that I was not hacked

      Report


  4. I have also received an email from Cloudflare regarding the issue. I have successfully changed my password. Thank God nothing happened to my account.

    Report

Comments are closed.