There are no active attacks employing the Cloudflare memory leak vulnerability.
Now patched, the first ended up discovered February 17 by Google Project Zero researcher Tavis Ormandy.
Cloudflare determined the bug, also called Cloudbleed, caused its edge servers to run past the end of a buffer and return memory that contained potentially sensitive information, including cookies and authentication tokens. Ormandy also found the leaked data included passwords, encryption keys, private messages from dating sites, chat messages, IP addresses and HTTPS requests.
The flaw came into play in September 2016, but it had the greatest impact between February 13 and February 18, when one in every 3.3 million requests going through Cloudflare’s systems may have resulted in memory leakage. The bug itself ended up mitigated within hours, but it took several days to contain the incident because leaked data ended up cached by search engines.
“While the bug was very bad and had the potential to be much worse, based on our analysis so far: 1) we have found no evidence based on our logs that the bug was maliciously exploited before it was patched; 2) the vast majority of Cloudflare customers had no data leaked; 3) after a review of tens of thousands of pages of leaked data from search engine caches, we have found a large number of instances of leaked internal Cloudflare headers and customer cookies, but we have not found any instances of passwords, credit card numbers, or health records; and 4) our review is ongoing,” Cloudflare co-founder and chief executive Matthew Prince said in a blog post.
“If a hacker was aware of the bug before it was patched and trying to exploit it then the best way for them to do so would be to send as many requests as possible to a page that contained the set of conditions that would trigger the bug,” Prince said. “They could then record the results. Most of what they would get would be useless, but some would contain very sensitive information.”
While Cloudflare’s investigation into the Cloudbleed incident continues, it has not found any instances where the leaked memory included passwords, payment card numbers, customer encryption keys, or health records.