Towards the end of last month, it was revealed that CloudFlare, a popular CDN provider, suffered a vulnerability that caused its edge servers to leak private data. The vulnerability – discovered by Google researcher Tavis Ormandy – was swiftly mitigated, but because the problem may have existed since September 2016, it’s worth taking some time to understand the potential implications for eCommerce merchants, site owners, and their users.
Cloudflare is a service that – among other things – helps websites achieve better performance. It takes the contents of a website and uploads it to edge servers around the world. When a user requests a page, the request is redirected to the nearest edge server, significantly reducing the latency introduced when server and client are far apart. Because the site’s HTML and other assets travel through Cloudflare, they can be processed in various ways before being passed on to the requester.
To process the HTML, Cloudflare runs pages through an HTML parser. A bug in that parser is what caused private information to be leaked. You can read the full technical details in Cloudflare’s post-mortem, but, in short, a buffer overrun error caused the parser to access parts of the server’s memory that should have been private. In a specific combination of circumstances, the parser would not stop with the HTML it was parsing, but would continue to read data from memory. That data sometimes included sensitive information like login details, keys, and private messages.
When someone requested the page, the private data was sent along with it. Even worse, the private data was also sent when web crawlers made page requests, including search engine crawlers, which resulted in some private data being made available in search engine results.
That all sounds very bad indeed, but it should be understood that the buffer overrun could only happen in a very specific set of circumstance. It’s not the case that every request routed through Cloudflare leaked private data. According to the company:
“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (thatʼs about 0.00003% of requests).”
Cloudflare is huge, so even 0.00003% is a lot of requests, but there’s no evidence that any criminals were actively exploiting the vulnerability and the problem was fixed less than 8 hours after it was discovered. For large sites using Cloudflare, it’s likely that some user data was leaked, but for each individual user the risk is miniscule. Google and other search engines have attempted to scrub their search indexes of any private data that may have been cached.
Should You Reset Passwords?
At this point, the risks are minimal. If you use Cloudflare with your site or eCommerce store, you may choose to advise users to reset their passwords out of an abundance of caution. Given the extensive publicity the leak received, it may well be wise to communicate with users about the nature of the vulnerability and the risk to their privacy. Some security experts advise that passwords should be reset, but because the risk to individual users is small, some prominent security writers advise against password resets, arguing it will do little to protect users and is likely to add to the security fatigue that causes users to ignore security best practices.