The bug that was detected had been dumping confusing chunks of data “interspersed with valid data” for almost four months between September 22, 2016, and February 18, 2017, before it was caught by Ormandy. A pointer error in the source code resulted in a massive security breach, exposing sensitive user data, full messages, encryption keys, API keys, authentication tokens, client IP address, cookies, passwords, and full HTTPS requests through its reverse proxy service, a core competency serviced by CloudFlare.
The CloudBleed bug, named in homage to the 2014 HeartBleed bug, is even more severe than its predecessor. CloudFlare, of all services, is a major web security and CDN (content delivery network) provider. Its global distributed CDN serves over 5.5 million websites, securing billions of requests a second transmitted through its gateways.
The bug bounty CloudFlare rewards its recipients is a limited edition bug hunter t-shirt. Very rare. One would think that a network of this magnitude would put up a bounty a bit more compelling than a single woven blend of lycra and cotton.
Sites Affected by CloudBleed
A Reddit user by the name ‘dontworryimnotacop’ posted a full list on GitHub of all possibly affected domains by compiling CloudFlare’s publicly listed IPs and Alexa top 10,000 sites and doing reverse DNS lookups. While not comprehensive, the list provides an exhaustive 4,287,625 of the 5.5 million domains serviced by CloudFlare that were affected.
Commenting about the scale of this matter, Ormandy wrote in the bug report, “We keep finding more sensitive data that we need to cleanup. I didn’t realize how much of the internet was sitting behind a Cloudflare CDN until this incident.”
The listed cryptocurrency domains include Coinbase, Bitpay, Poloniex, Local Bitcoins, Kraken, Blockchain.info, and BTC-E. Other Bitcoin startups using CloudFlare’s services that were possibly affected are; Bitwala, ICONOMI, and Chronobank. Password manager, 1Password, and second-factor authenticator, Authy, were also listed, though 1Password has confirmed its domain was not compromised through its triple encryption layer. Among the list of confirmed compromised domains, high profile ones like Fitbit, Meetup, and Uber were listed.
CloudFlare itself has not disclosed a comprehensive list confirming the affected domains.
CloudFlare published its postmortem report in a blog post, resolving the issue:
“The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged. With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines.”
Just like the aftereffects of a nuclear fallout, all survivors touched by the ensuing shockwaves should exercise prudence in securing their digital assets, particularly since those assets become increasingly digital.
For the blockchain community, a lesson learned the hard way by a centralized network is potentially another decentralization innovation waiting to happen.