Sergey Nivens - Fotolia
“We have undertaken a full review of the parser code to look for any additional potential vulnerabilities,” said Matthew Prince, CEO and co-founder of Cloudflare in a blog post.
“While we were able to mitigate this bug within minutes of it being reported to us, we want to ensure that other bugs are not present in the code,” he said.
The assurances come a week after chief operating officer John Graham-Cumming published a blog explaining that a bug in old code had caused Cloudflare servers to run past the end of a buffer and return memory that contained private information such as authentication tokens and other sensitive data.
As a result, data some customers leaked to other Cloudflare customers in the server’s memory at the same time, and some of this data was cached by search engines.
The greatest period of impact was from 13-18 February 2017, with around one in every 3,300,000 HTTP requests through Cloudflare (0.00003%) potentially resulting in memory leakage, said Graham-Cumming.
In addition to Cloudflare’s own code review, Prince said the company is working with the outside code auditing firm Veracode to review Cloudflare’s code.
To address concerns around cached data, he said Cloudflare is working with third-party caches to expunge leaked data.
“We will not let up until every bit has been removed. We also continue to analyse Cloudflare’s logs and the particular requests that triggered the bug for anomalies.”
While admitting that the bug, dubbed Cloudbleed, was “very bad” and had the potential of being much worse, Prince said Cloudflare had found no evidence that the bug was maliciously exploited before it was patched and that the vast majority of Cloudflare customers had no data leaked.
Read more internet infrastructure security stories
- OpenSSL certificate verification flaw lets attackers impersonate cryptography-protected websites, email servers and virtual private networks.
- We investigate the most significant flaw in recent history to impact the internet. The Heartbleed bug in OpenSSL leaves millions of internet servers vulnerable to attack.
After a review of tens of thousands of pages of leaked data from search engine caches, he said that although investigators found a large number of instances of leaked internal Cloudflare headers and customer cookies, they did not find any instances of passwords, credit card numbers, customer encryption keys or health records.
Prince said that because the analysis was based on a set of sample data, it impossible to conclude that no sensitive data at all was exposed. However, he said if there was any exposure, it does not appear to have been widespread.
“We have also not had any confirmed reports of third parties discovering any of these sensitive data types on any cached pages,” he wrote.
Prince concluded by saying that the Cloudbleed bug showed just how much of the internet puts its trust in Cloudflare.
“We know we disappointed you and we apologise. We will continue to share what we discover because we believe trust is critical and transparency is the foundation of that trust,” he wrote.
Cloudflare praised for response to bug report
Ilia Kolochenko, CEO of web security firm High-Tech Bridge, praised Cloudflare for the way the company had dealt with the bug report.
Cloudflare’s reaction to the incident was professional, rapid and transparent. It can serve as an example to other companies,” he said.
However, Kolochenko said he thinks the Cloudbleed name for the bug is inappropriate because it did not affect almost every company in the world, unlike Heartbleed.
“Heartbleed caused several major data breaches, while with the Cloudflare incident no major breaches are officially confirmed yet,” he said, adding that there are still many organisations vulnerable to Heartbleed, while all avenues of Cloudflare’s vulnerability exploitation seem to be mitigated.