Equipment Notes

Notes about video and audio equipment that I use... that others might find useful.

Friday, February 24, 2017

Cloudbleed... a major bug on the Internet

Today (Friday 24 February 2017) at 14:30 I was notified of a major security problem on the Internet directly by the company concerned, which we use. The company is a reputable and diligent company but it was serious enough they alerted all their customers. It was actually first made public yesterday and is potentially one of the more serious security problems ever on the Internet. The bug could have given your passwords and other information to people who should never have them.

How serious is this? Does it affect financial institutions on the Internet?

This is very serious and you need to take action. I know personally of two financial institutions on the list of 4,288,852 affected domains, one of which I use myself. There are probably many more.

What should you do?

Check your password managers and change all your passwords on affected sites, possibly all of your passwords if you want to be especially careful. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all cloudflare proxy customers were vulnerable to having data leaked, it's better to be safe than sorry.

To check if you have visited a site that could have leaked your private information you can download a list of affected sites here:
NOTE the list is very large (77 MBs when unzipped). There are 4,288,852 affected domains listed.

How long has this being going on?

Between 22 September 2016 and 18 February 2017 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months. The greatest period of impact was from February 13 to February 18 2017.

What was the cause of the bug?

In one of the programs Cloudflare uses there were two lines of code:
if ( ++p == pe )  
goto _test_eof;
This created a pointer error to a memory location that leaked data and should have been:
if ( ++p >= pe ) 
goto _test_eof;
Yes, an error in two lines of code can be that serious! That code was in fact automatically generated by a program called Ragel. It should have been spotted but because the program only failed 1 in every 3,300,000 times it ran, it wasn't easy to spot. However when it runs many billions of times per day then the effect is still significant.

Can this information be validated?

Below are links to validate this information. It's technical so you might not understand it, but I'm giving you the links so that you can be sure it's genuine.

Here's a link to the public admission of the problem:
Here's the report and interaction from Google's Project Zero team who first found the bug:

Further information:
This material is copyright and cannot be re-published without permission of the author
richard[at]creativemultimedia[dot]co[dot]uk