SB 17.02 :: CloudFlare-Bug erlaubt das Auslesen sensibler Daten

Ein Fehler bei Cloudflare erlaubte das Auslesen sensibler Daten, wenn Cloudflare als CDN oder ReverseProxy benutzt wurde. Damit konnten Angreifer u.a. Sessioncookies oder Anmeldedaten monatelang auslesen.

Ein Statement von Cloudflare zu dem Bug:

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

Eine Einschätzung von einem reddit-user:

The data that cloudflare leaked was mixed in with standard web content. This means that sensitive data from one site was randomly intermixed with data from other sites, in a recoverable fashion. Because of the nature of webcontent, it can be cached for a long time, notably by search engines. This means that sensitive data such as passwords and credit card numbers may be currently stored in a way anyone can see if they search correctly.

This affects many sites, definitely including ones you use.

Tavis Ormandy von Projekt Zero hat den Fehler am 18.02. gemeldet, der innerhalb von 2 Tagen geschlossen wurde. Cloudflare-User haben eine Liste betroffener Seiten zusammengestellt, hier eine Liste der German Top 500 Webseiten,

German Top 500 Sites @ Cloudflare

   > www.kinox.to 
   > www.movie4k.to 
   > www.mydealz.de 
   > www.heftig.co 
   > www.dawanda.com 
   > www.mozilla.org 
   > www.neobux.com 
   > www.yelp.de 
   > www.privatehomeclips.com 
   > www.chaturbate.com 
   > www.beeg.com 
   > www.promiflash.de 
   > www.kleiderkreisel.de 
   > www.bitshare.com 
   > www.share-links.biz 
   > www.deutsche-wirtschafts-nachrichten.de 
   > www.linkcrypt.ws 
   > www.share-online.biz 
   > www.urlaubspiraten.de 
   > www.bab.la 
   > www.mygully.com 
   > www.pcgameshardware.de 
   > www.serienjunkies.org 
   > www.hardsextube.com 
   > www.movie-blog.org 
   > www.sunmaker.com 
   > www.klicktel.de 
   > www.fiverr.com 
   > www.feedly.com 
   > www.pcgames.de 
   > www.gulli.com 
   > www.belboon.com 
   > www.goldesel.to 
   > www.hardwareluxx.de 
   > www.tradedoubler.com 

Referenzen

• Project Zero: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
• Cloudlfare: Incident report on memory leak caused by Cloudflare parser bug
• List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak
• reddit