Cloudflare, one of the world’s largest internet security companies. A multibillion-dollar startup that runs a popular content delivery network used by more than 5.5 million sites.
Now they found that a bug inside their website has leaked all the sensitive data across the Internet For Months.
According to Tavis Ormandy, the leaked data are, private messages from different sites, online password manager data, frames from adult video sites, hotel bookings.
The bug is so called Cloudbleed vulnerability. Cloudflare says the earliest data leak dates back to September 2016. It’s so far unclear if blackhat hackers had already found the vulnerability and exploited it secretly.
Major companies like Uber, OKCupid, 1Password, and FitBit all are the client of cloudflare. If you are a client of cloudflare, the only way is to change your passwords and implement two-factor authentication everywhere you can.
Working of Cloudbleed
The most interesting factor is that a single character in Cloudflare’s code lead to the vulnerability. As per the information cloudbleed is bit same as heartbleed. Cloudfare blog post says that the issue stems from the company’s decision to use a new HTML parser called cf-html. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.
Cloudflare ran into trouble when formatting the source code of cf-html and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. (The error involved a “==” in the code where there should have been a “>=”.) This means that when the software was writing data to a buffer, a limited amount of space for temporary data, it would fill up the buffer and then keep writing code somewhere else. (If you’re dying for a more technical explanation, Cloudflare laid it all out in a blog post.)
In plain English, Cloudflare’s software tried to save user data in the right place. That place got full. So Cloudflare’s software ended up storing that data elsewhere, like on a completely different website. Again, the data included everything from API keys to private messages. The data was also cached by Google and other sites, which means that Cloudflare now has to hunt it all down before hackers find it.