adimas - Fotolia

Old code haunts Cloudflare with memory leak scare

Ancient software has been blamed for a major memory leak affecting hundreds of thousands of web pages delivered via Cloudflare’s CDN

Cloudflare, the content delivery service, has admitted that a memory leak in old code has caused a bug that may have inadvertently exposed the private data of its customers.

The flaw is also believed to have led to a leak of a security key used to encrypt internal server communications within its datacentres.

According to a BBC report, as many as 120,000 pages a day may have been affected by the bug.

In a detailed blog post explaining the problem, the company’s chief operating officer, John Graham-Cumming, wrote: “Because Cloudflare operates a large, shared infrastructure, an HTTP request to a Cloudflare website that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.”

Graham-Cumming said Cloudflare had also had to content with an further problem since Google, and other search engines, had cached some of the leaked memory through their normal crawling and caching processes.

“Our natural inclination was to get news of the bug out as quickly as possible, but we felt we had a duty of care to ensure that search engine caches were scrubbed before a public announcement,” he said. “We wanted to ensure that this memory was scrubbed from search engine caches before the public disclosure of the problem so that third parties would not be able to go hunting for sensitive information.”

Graham-Cumming said the company’s infosecurity team, working alongside the search engine companies, had caught 770 unique URIs that had been cached, that contained leaked memory. “Those 770 unique URIs covered 161 unique domains,” he said. “The leaked memory has been purged with the help of the search engines.”

Read more internet infrastructure security stories

  • OpenSSL certificate verification flaw lets attackers impersonate cryptography-protected websites, email servers and virtual private networks (VPNs).
  • In this week’s Computer Weekly, we investigate the most significant flaw in recent history to impact the internet. The Heartbleed bug in OpenSSL leaves millions of internet servers vulnerable to attack.

The original flaw concerned old code that had a latent security problem which was identified only during migration to newer software. “Our internal infosec team is now undertaking a project to fuzz older software looking for potential other security problems,” Graham-Cumming said in the blog.

As well as external websites, he admitted the bug had also leaked a private key used to secure connections between Cloudflare machines.

“When processing HTTP requests for customers’ websites, our edge machines talk to each other within a rack, within a datacentre and between datacentres for logging, caching and to retrieve web pages from origin web servers,” he said.

Cloudflare has been encrypting these server connections to reduce hacking attacks, but Graham-Cumming said the private key leaked was the one used for this machine-to-machine encryption.

Read more on Datacentre disaster recovery and security