CloudBleed is real, and it's really very bad.

CloudBleed is real, and it’s really very bad.

We have a truism in cyber-security, the media won’t really be interested in a security flaw until three conditions are true:

  1. It has a name;
  2. It has a logo; and,
  3. It affects an application that everyone understands.

However, so far no one is paying attention to CloudBleed, and they probably should.

Here is the background – most apps on your phone are written by small, or growing teams who can’t really afford to run their own hardware or pay for top-notch cyber-security talent.  So they tend to outsource this work to organisations like CloudFlare, who run “servers for rent” around the world.  CloudFlare also claim to have top-drawer security pros on staff to make sure that their services are secure.  It works out cheaper for the app companies because the can rent server space as needed – and when it isn’t needed by them, other app companies can use those servers.

These “servers for rent” are all around the world.  The app companies write their software so that it connects to the nearest server for rent, which makes things quicker for the end-user.  A lot of processing is done at this server for rent, and then that server connects back to the app-providers servers and relay data in more efficient chunks.  It looks something like this:

So, in the case of CloudBleed, companies like Uber then pay CloudFlare to make their applications work efficiently, and to keep them safe from hackers.

However, CloudFlare has made a mistake and now their servers are responding to requests in such a way that they’re sending information they have previously handled to requestors.  It doesn’t sound like a big deal until you see it.

Here is an example of an Uber request, pulled back via the CloudBleed weakness:

Now, this is written in “programmer”, but if you look closely, you can see that this communication contains the location of the Uber request; the client’s name; the phone type; the cipher, session cookie, and token(the secret code used to encrypt data for the conversation); and other information that should be kept private.

In short the servers are responding to requests to read “uninitalized memory” – this is memory that was previously used by other applications and is now available for reuse.

CloudBleed is a really big deal because at this point it seems to affect all of CloudFlare’s customers.  This includes literally dozens-of-millions of websites, hundreds-of-thousands of apps, and basically the entire internet.  Pretty much everything you use on the Internet, from Mrs Smith’s blogs to multi-billion dollar Internet banking apps goes through a CloudFlare or other similar server.

I’m a huge supporter of Cloud technology.  However, we have to realisitic – the problem with Cloud Computing is that there is no such thing as “the cloud”.  “The Cloud” is just someone else’s computer that you’re renting – security flaws and all.

This is a very big deal, and it should be the IT Security Story of the year.