Tech Translation - Cloudbleed
Start writing a post
Lifestyle

Tech Translation - Cloudbleed

What's that red rain? Your data.

9
Tech Translation - Cloudbleed
Peter Mulroe

In a staggering display of modern irony, Cloudflare, a large content delivery network (CDN) and internet security provider unknowingly leaked user data for months.

The cause was an obscure bug that emerged in September 2016 and lasted until this past February. A software "bug" refers to a coding flaw that causes unexpected results or behaviors.

This bug caused random user information to be displayed below normal content on pages and apps. Like the image below, it was a a seemingly scrambled bunch of letters and foreign symbols.

That scramble is another user's internet traffic. Mostly mundane but also potentially containing passwords, cookies and tokens in plain sight, for anyone who activated the bug to see.

Notable affected names include - Patreon, 4chan, Yelp, OkCupid, and Uber. View the whole list here.

To make matters worse those pages were saved, or cached, by search engines. Awkward.

How did this happen? What are the repercussions?

That's our Tech Translation topic. Class is in session.


The Short Explanation

While different from past issue nicknames like Heartbleed, nerds apparently lack originality and went with Cloudbleed. One article comment from The Hacker News pointed out that clouds don't bleed, but can form fallstreak holes. Cloudstreak has a better ring to it, no? #VoteForCloudstreak

I digress.

Cloudflare is an intermediary for internet companies and their users. Site and app content pass through their networks before reaching you. In September they updated their information parsing software, which scans and modifies your content to provide modern features like hiding your email from scummy ad robots.

Bugs tend to emerge under some odd combination of settings and circumstances. In this case, about 0.06% of all web pages end with a broken script or image tag. For instance, if the very last thing on a site is an image, the code could be:

<IMG HEIGHT = "50px" WIDTH = "200px" SRC="

Normally the image URL would go after SRC= and a closing "> wraps it up neatly. It's not a huge deal, most browsers can handle small syntax errors like that.

The problem was their code to inspect all that website code, otherwise known as a parser. It was written with Ragel, by the way.

Imagine you're at the grocery store, waiting to check out. The cashier is blind and can only tell when your stuff, the site you're looking at, ends by the plastic dividers.

The laden conveyor represents everyone's internet traffic. Separate groups and item combinations, but all traveling along Cloudflare's network.

Due to a misorder of commands and a whole lot of crap luck, those grocery dividers did not stay put. The cashier mixed people's groceries together and they all wound up in your pantry. Therefore, someone else's completely different website data just showed up at the bottom of your screen in a garble of text.

For my nerds: When the parser encountered an open attribute at the end of a page, it did not know to not stop. Instead it continued to read from adjacent memory, which contained data from other customers' requests. Read Cloudflare's general writeup and incident analysis for more info.

An estimated 0.00003% of page requests contained leaks. But ten million requests a minute starts to pile up.

So we're screwed?

Not quite. In fairness, Cloudflare has done a solid job responding to the incident and is being transparent. The issues were fixed the same day and they immediately contacted search engines to start purging bugged pages.

At this point they're looking for any evidence of data mining. If someone noticed early on and quietly collected that information, after several months they could have something substantial. Thankfully that doesn't seem to be the case.

This was like leaving the faucet on all day when you leave for work. Nobody was hurt or defamed, but you seriously question the kind of adult you're turning out to be. Cloudbleed is a reminder for the tech world that silly mistakes can still happen without anyone noticing.

If you frequently use services mentioned above, change your passwords. Not much else to do right now.

That's all folks. Hopefully we learned something today.

Drop a comment or reach out on social media to discuss with me.

@pjmulroe #MakeSecurityGreatAgain #Cloudbleed

Report this Content
This article has not been reviewed by Odyssey HQ and solely reflects the ideas and opinions of the creator.
the beatles
Wikipedia Commons

For as long as I can remember, I have been listening to The Beatles. Every year, my mom would appropriately blast “Birthday” on anyone’s birthday. I knew all of the words to “Back In The U.S.S.R” by the time I was 5 (Even though I had no idea what or where the U.S.S.R was). I grew up with John, Paul, George, and Ringo instead Justin, JC, Joey, Chris and Lance (I had to google N*SYNC to remember their names). The highlight of my short life was Paul McCartney in concert twice. I’m not someone to “fangirl” but those days I fangirled hard. The music of The Beatles has gotten me through everything. Their songs have brought me more joy, peace, and comfort. I can listen to them in any situation and find what I need. Here are the best lyrics from The Beatles for every and any occasion.

Keep Reading...Show less
Being Invisible The Best Super Power

The best superpower ever? Being invisible of course. Imagine just being able to go from seen to unseen on a dime. Who wouldn't want to have the opportunity to be invisible? Superman and Batman have nothing on being invisible with their superhero abilities. Here are some things that you could do while being invisible, because being invisible can benefit your social life too.

Keep Reading...Show less
Featured

19 Lessons I'll Never Forget from Growing Up In a Small Town

There have been many lessons learned.

70900
houses under green sky
Photo by Alev Takil on Unsplash

Small towns certainly have their pros and cons. Many people who grow up in small towns find themselves counting the days until they get to escape their roots and plant new ones in bigger, "better" places. And that's fine. I'd be lying if I said I hadn't thought those same thoughts before too. We all have, but they say it's important to remember where you came from. When I think about where I come from, I can't help having an overwhelming feeling of gratitude for my roots. Being from a small town has taught me so many important lessons that I will carry with me for the rest of my life.

Keep Reading...Show less
​a woman sitting at a table having a coffee
nappy.co

I can't say "thank you" enough to express how grateful I am for you coming into my life. You have made such a huge impact on my life. I would not be the person I am today without you and I know that you will keep inspiring me to become an even better version of myself.

Keep Reading...Show less
Student Life

Waitlisted for a College Class? Here's What to Do!

Dealing with the inevitable realities of college life.

132481
college students waiting in a long line in the hallway
StableDiffusion

Course registration at college can be a big hassle and is almost never talked about. Classes you want to take fill up before you get a chance to register. You might change your mind about a class you want to take and must struggle to find another class to fit in the same time period. You also have to make sure no classes clash by time. Like I said, it's a big hassle.

This semester, I was waitlisted for two classes. Most people in this situation, especially first years, freak out because they don't know what to do. Here is what you should do when this happens.

Keep Reading...Show less

Subscribe to Our Newsletter

Facebook Comments