Tech Translation - Cloudbleed | The Odyssey Online
Start writing a post
Lifestyle

Tech Translation - Cloudbleed

What's that red rain? Your data.

9
Tech Translation - Cloudbleed
Peter Mulroe

In a staggering display of modern irony, Cloudflare, a large content delivery network (CDN) and internet security provider unknowingly leaked user data for months.

The cause was an obscure bug that emerged in September 2016 and lasted until this past February. A software "bug" refers to a coding flaw that causes unexpected results or behaviors.

This bug caused random user information to be displayed below normal content on pages and apps. Like the image below, it was a a seemingly scrambled bunch of letters and foreign symbols.

That scramble is another user's internet traffic. Mostly mundane but also potentially containing passwords, cookies and tokens in plain sight, for anyone who activated the bug to see.

Notable affected names include - Patreon, 4chan, Yelp, OkCupid, and Uber. View the whole list here.

To make matters worse those pages were saved, or cached, by search engines. Awkward.

How did this happen? What are the repercussions?

That's our Tech Translation topic. Class is in session.


The Short Explanation

While different from past issue nicknames like Heartbleed, nerds apparently lack originality and went with Cloudbleed. One article comment from The Hacker News pointed out that clouds don't bleed, but can form fallstreak holes. Cloudstreak has a better ring to it, no? #VoteForCloudstreak

I digress.

Cloudflare is an intermediary for internet companies and their users. Site and app content pass through their networks before reaching you. In September they updated their information parsing software, which scans and modifies your content to provide modern features like hiding your email from scummy ad robots.

Bugs tend to emerge under some odd combination of settings and circumstances. In this case, about 0.06% of all web pages end with a broken script or image tag. For instance, if the very last thing on a site is an image, the code could be:

<IMG HEIGHT = "50px" WIDTH = "200px" SRC="

Normally the image URL would go after SRC= and a closing "> wraps it up neatly. It's not a huge deal, most browsers can handle small syntax errors like that.

The problem was their code to inspect all that website code, otherwise known as a parser. It was written with Ragel, by the way.

Imagine you're at the grocery store, waiting to check out. The cashier is blind and can only tell when your stuff, the site you're looking at, ends by the plastic dividers.

The laden conveyor represents everyone's internet traffic. Separate groups and item combinations, but all traveling along Cloudflare's network.

Due to a misorder of commands and a whole lot of crap luck, those grocery dividers did not stay put. The cashier mixed people's groceries together and they all wound up in your pantry. Therefore, someone else's completely different website data just showed up at the bottom of your screen in a garble of text.

For my nerds: When the parser encountered an open attribute at the end of a page, it did not know to not stop. Instead it continued to read from adjacent memory, which contained data from other customers' requests. Read Cloudflare's general writeup and incident analysis for more info.

An estimated 0.00003% of page requests contained leaks. But ten million requests a minute starts to pile up.

So we're screwed?

Not quite. In fairness, Cloudflare has done a solid job responding to the incident and is being transparent. The issues were fixed the same day and they immediately contacted search engines to start purging bugged pages.

At this point they're looking for any evidence of data mining. If someone noticed early on and quietly collected that information, after several months they could have something substantial. Thankfully that doesn't seem to be the case.

This was like leaving the faucet on all day when you leave for work. Nobody was hurt or defamed, but you seriously question the kind of adult you're turning out to be. Cloudbleed is a reminder for the tech world that silly mistakes can still happen without anyone noticing.

If you frequently use services mentioned above, change your passwords. Not much else to do right now.

That's all folks. Hopefully we learned something today.

Drop a comment or reach out on social media to discuss with me.

@pjmulroe #MakeSecurityGreatAgain #Cloudbleed

Report this Content
This article has not been reviewed by Odyssey HQ and solely reflects the ideas and opinions of the creator.
Featured

12 Midnight NYE: Fun Ideas!

This isn't just for the single Pringles out there either, folks

15065
Friends celebrating the New Years!
StableDiffusion

When the clock strikes twelve midnight on New Year's Eve, do you ever find yourself lost regarding what to do during that big moment? It's a very important moment. It is the first moment of the New Year, doesn't it seem like you should be doing something grand, something meaningful, something spontaneous? Sure, many decide to spend the moment on the lips of another, but what good is that? Take a look at these other suggestions on how to ring in the New Year that are much more spectacular and exciting than a simple little kiss.

Keep Reading...Show less
piano
Digital Trends

I am very serious about the Christmas season. It's one of my favorite things, and I love it all from gift-giving to baking to the decorations, but I especially love Christmas music. Here are 11 songs you should consider adding to your Christmas playlists.

Keep Reading...Show less
campus
CampusExplorer

New year, new semester, not the same old thing. This semester will be a semester to redeem all the mistakes made in the previous five months.

1. I will wake up (sorta) on time for class.

Let's face it, last semester you woke up with enough time to brush your teeth and get to class and even then you were about 10 minutes late and rollin' in with some pretty unfortunate bed head. This semester we will set our alarms, wake up with time to get ready, and get to class on time!

Keep Reading...Show less
Student Life

The 5 Painfully True Stages Of Camping Out At The Library

For those long nights that turn into mornings when the struggle is real.

3049
woman reading a book while sitting on black leather 3-seat couch
Photo by Seven Shooter on Unsplash

And so it begins.

1. Walk in motivated and ready to rock

Camping out at the library is not for the faint of heart. You need to go in as a warrior. You usually have brought supplies (laptop, chargers, and textbooks) and sustenance (water, snacks, and blanket/sweatpants) since the battle will be for an undetermined length of time. Perhaps it is one assignment or perhaps it's four. You are motivated and prepared; you don’t doubt the assignment(s) will take time, but you know it couldn’t be that long.

Keep Reading...Show less
Student Life

The 14 Stages Of The Last Week Of Class

You need sleep, but also have 13 things due in the span of 4 days.

1839
black marker on notebook

December... it's full of finals, due dates, Mariah Carey, and the holidays. It's the worst time of the year, but the best because after finals, you get to not think about classes for a month and catch up on all the sleep you lost throughout the semester. But what's worse than finals week is the last week of classes, when all the due dates you've put off can no longer be put off anymore.

Keep Reading...Show less

Subscribe to Our Newsletter

Facebook Comments