What Does This Mean For Me: The Cloudflare Leak
In this series, We’re going to take a highly technical topic in the news, and break it down so that a person outside of the industry can understand what’s going on, and how it affects their lives. Experts will be brought in as necessary to broach topics when our regular writers don’t feel qualified.
To give some background, I have a Master’s Degree in Computer Science, and have worked for over a decade to build software in many different industries, from grocery stores to railway transportation. I’d consider myself well versed in many technological fields, including the internet, software security, and software architecture. Now lets get into it.
What Is Cloudflare?
Cloudflare is the largest content distribution network provider in the world. Their main products provide worldwide caching for your websites and services. So what does that mean?
If you’ve ever put up a simple website before, you know that it’s generally a set of files that are put in a folder on a single web server. When someones browser requests your site (say, https://devoid.news), their computer traverses the internet, downloads the files, and then can view it in their browser. For small sites, this works great.
However, as viewership grows, your server can get overloaded with requests. You need to copy those files to other servers, and let https://devoid.news point to the most available server. Furthermore, if someone is on the other side of the globe, it might take a really long time to traverse the internet to get your servers. It would be nice if there was a copy of your site stored closer to the users over there. That’s the service cloudflare provides: They make copies of sites, and store them all around the world so that other companies can have very high availability to all users.
Cloudflare’s service is in very high demand, and are used by companies everywhere. Chances are you’ve downloaded a file from a Cloudflare server in the past hour.
So what’s this Leak?
On February 23rd, Cloudflare announced a bug in their service. Sensitive data (passwords, credit card numbers, bank account numbers, you name it) has haphazardly been being returned as junk data along with normal page requests. Basically, if you have entered any sensitive information into a page using cloudflare (and as I said before, it’s very likely you have done this almost every day), your data may have been sent to another user trying to go to a completely different website.
How does something like that happen?
Obviously we’re not privy to all of Cloudflare’s server code, but I’ll explain the basics of how this could happen. First, files on a computer are generally not completely removed immediately: they are marked as “deleted”, and then are overwritten as new files come in and need to be stored.
Files are stored in sets of blocks: if you ever remember running Defrag on an old Windows computer, that’s a pretty decent mental model.
Sometimes the files don’t completely fill a block, and so random data that was previously in the block fills it up. If this data was a credit card number, then that’s what’s in the block. This usually isn’t an issue, as usually a file delivery system truncates these extra bits: but that takes a very little bit of extra time.
If you’re a company like Cloudflare, all those teensy bits of time add up to a whole lot after billions of requests. So, it may be that someone decided it’d be more efficient to just grab all the blocks and return them, and omit the part where they cut out the extra bit. The extra bits would normally just be ignored.
So why was your sensitive data stored there in the first place? You entered everything on HTTPS, which is supposed to be encrypted and secure!
You should continue only entering sensitive information on sites marked HTTPS. However, HTTPS only ensures security in transit. It only remains secure until it gets to the host server, which is Cloudflare in this case. They unencrypt the data there in order to see what to do with it, and then reencrypt it and send it to the next server for processing if necessary. This all happens in fractions of a second, but all that data added up to a big mess in this case.
So What Do I Do Now?
As of the writing of this article, there have been no exploits reported to coincide with this data leak. So currently, it seems everyone has remained safe. However, it would be smart to start changing your passwords regularly, and you should monitor your credit cards for fraudulent charges. These things happen. You should already be in a habit of routinely monitoring your accounts, as identity theft and credit card fraud were (unfortunately) commonplace even before this leak.