Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Cloudbleed - Cloudflare Unauthorized Data Leak

2 min read
Last updated Oct 14, 2022


    Cloudflare is a huge internet infrastructure company (5.5 million websites), which means that you likely use them every day that you’re online, without ever realizing it. Depending on what metric you use, as much as 25% of the Alexa Top 10000 sites is using Cloudflare for some part of their public facing infrastructure.

    Get the Free Pentesting Active
    Directory Environments e-book

    What Cloudflare Provides

    Broadly, they provide two services:

    1. Massively fast and distributed DNS services
    2. Denial of Service attack mitigation (and some related security features around re-writing your web pages on the fly to protect them from scraping and other harmful acts.)

    It’s in this second set of services that Cloudflare announced a huge security issue yesterday. Some of their HTML re-writing features had bugs which returned more data than they should have.

    Cloudflare Security Issues

    So what happened? In a nutshell: users that browsed some sites on Cloudflare’s network (SiteA, for example) may have also received portions of requests from other websites (SiteB, SiteC, etc.) that were stored on the same caching servers.

    You may be thinking: “That sounds bad, but not that bad” – so what if a portion of SiteB’s headline ended up in SiteA’s response? Compared to attacks like Heartbleed (which leaked private keys) or the many data breaches which happen every week, this seems almost benign.

    “Request” is the technical name for an interaction with a HTTP server, so it’s tempting to think of this as just two web pages jumbled together: bad, but less catastrophic. However, an HTTP POST (form submit) of your email and password to a site in the Cloudflare network is also considered a “request” and may have been leaked.

    Google, Bing, Baidu and the entire contingent of other web-scrapers that exist on the Internet are also “users” who make “requests” to these sites. The difference is that they keep this data around and show it to whoever requests it. While efforts are furiously underway at these companies to purge their caches of this data – it’s out there and really difficult to tell where it all resides.

    HTTP Requests are aggressively cached all over the internet. From your regional ISP to corporate proxies to your browser. So some of this data is going to be in the wild somewhere for a long time.

    What happened here is a unique type of security issue for which there exists no standard operating procedure. Every sysadmin knows how to update a TLS/SSL cert (which is a fix for Heartbleed, for example). Even sorting out exactly what might have been put at risk requires consulting with web developers, running tests, and thinking of scenarios that were fairly unthinkable previously.

    Nobody gamed out a response plan that started with: “Let’s assume that everything that passed through our website for the last 6 months was publicly accessible.”

    There are many services that rely upon the use of obscure API keys for their security. Now, suddenly every one of those keys need revoked as access to an API key instantly lets you gain access to the features of the service.

    Similarly OAuth (which is in general a security win) exposes access and renewal tokens, which once compromised are a huge support nightmare to roll.

    What to Check for your Site

    How to tell if your site leaked data:

    1. You were using Cloudflare between Sept 9th, 2016 and February 18th, 2017.
    2. You were using Cloudflare’s HTTP/HTTPS termination (proxying requests through Cloudflare, not just using them for DNS)

    What to Check as an Individual

    What to do as an individual: you should consider everything that uses Cloudflare as potentially compromised.

    Security researchers are collaboratively compiling a list of sites at – review the list, change your password and rotate any API keys you have within affected sites. It’s likely that individually affected sites will also be issuing security guidance as the day progresses.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Free Data Risk Assessment

    Join 7,000+ organizations that traded data darkness for automated protection. Get started in minutes.