Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Cloudbleed - Cloudflare Unauthorized Data Leak

Cloudflare is a huge internet infrastructure company (5.5 million websites), which means that you likely use them every day that you’re online, without ever realizing it. Depending on what metric...
Michael Buckbee
2 min read
Published February 24, 2017
Last updated October 14, 2022

Cloudflare is a huge internet infrastructure company (5.5 million websites), which means that you likely use them every day that you’re online, without ever realizing it. Depending on what metric you use, as much as 25% of the Alexa Top 10000 sites is using Cloudflare for some part of their public facing infrastructure.

Get the Free Pentesting Active
Directory Environments e-book

What Cloudflare Provides

Broadly, they provide two services:

  1. Massively fast and distributed DNS services
  2. Denial of Service attack mitigation (and some related security features around re-writing your web pages on the fly to protect them from scraping and other harmful acts.)

It’s in this second set of services that Cloudflare announced a huge security issue yesterday. Some of their HTML re-writing features had bugs which returned more data than they should have.

Cloudflare Security Issues

So what happened? In a nutshell: users that browsed some sites on Cloudflare’s network (SiteA, for example) may have also received portions of requests from other websites (SiteB, SiteC, etc.) that were stored on the same caching servers.

You may be thinking: “That sounds bad, but not that bad” – so what if a portion of SiteB’s headline ended up in SiteA’s response? Compared to attacks like Heartbleed (which leaked private keys) or the many data breaches which happen every week, this seems almost benign.

“Request” is the technical name for an interaction with a HTTP server, so it’s tempting to think of this as just two web pages jumbled together: bad, but less catastrophic. However, an HTTP POST (form submit) of your email and password to a site in the Cloudflare network is also considered a “request” and may have been leaked.

Google, Bing, Baidu and the entire contingent of other web-scrapers that exist on the Internet are also “users” who make “requests” to these sites. The difference is that they keep this data around and show it to whoever requests it. While efforts are furiously underway at these companies to purge their caches of this data – it’s out there and really difficult to tell where it all resides.

HTTP Requests are aggressively cached all over the internet. From your regional ISP to corporate proxies to your browser. So some of this data is going to be in the wild somewhere for a long time.

What happened here is a unique type of security issue for which there exists no standard operating procedure. Every sysadmin knows how to update a TLS/SSL cert (which is a fix for Heartbleed, for example). Even sorting out exactly what might have been put at risk requires consulting with web developers, running tests, and thinking of scenarios that were fairly unthinkable previously.

Nobody gamed out a response plan that started with: “Let’s assume that everything that passed through our website for the last 6 months was publicly accessible.”

There are many services that rely upon the use of obscure API keys for their security. Now, suddenly every one of those keys need revoked as access to an API key instantly lets you gain access to the features of the service.

Similarly OAuth (which is in general a security win) exposes access and renewal tokens, which once compromised are a huge support nightmare to roll.

What to Check for your Site

How to tell if your site leaked data:

  1. You were using Cloudflare between Sept 9th, 2016 and February 18th, 2017.
  2. You were using Cloudflare’s HTTP/HTTPS termination (proxying requests through Cloudflare, not just using them for DNS)

What to Check as an Individual

What to do as an individual: you should consider everything that uses Cloudflare as potentially compromised.

Security researchers are collaboratively compiling a list of sites at https://github.com/pirate/sites-using-cloudflare – review the list, change your password and rotate any API keys you have within affected sites. It’s likely that individually affected sites will also be issuing security guidance as the day progresses.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

2021-saas-risk-report-reveals-44%-of-cloud-privileges-are-misconfigured
2021 SaaS Risk Report Reveals 44% of Cloud Privileges are Misconfigured
Cloud apps make collaboration a breeze, but unless you’re keeping a close watch on identities, behavior, and privileges across each and every SaaS and IaaS you rely on, you’re a sitting duck.
cloud-applications-put-your-data-at-risk---here's-how-to-regain-control
Cloud Applications Put Your Data At Risk - Here's How To Regain Control
Cloud applications boost productivity and ease collaboration. But when it comes to keeping your organization safe from cyberattacks, they're also a big, growing risk. Your data is in more places...
varonis-adds-file-analysis-to-cloud-data-classification-capabilities
Varonis adds file analysis to cloud data classification capabilities
We’re excited to announce that Data Classification Cloud now includes robust file analysis for verifying classification results across your cloud environment.
varonis-adds-sspm-functionality-to-datadvantage-cloud
Varonis adds SSPM functionality to DatAdvantage Cloud
SaaS misconfigurations can unintentionally expose valuable corporate data. The new Insights Dashboard from Varonis helps you find and fix these security gaps.