back to article Cloudbleed: Big web brands 'leaked crypto keys, personal secrets' thanks to Cloudflare bug

Big-name websites potentially leaked people's private session tokens and personal information into strangers' browsers, due to a Cloudflare bug uncovered by Google researchers. As we'll see, a single character – '>' rather than '=' – in Cloudflare's software source code sparked the security blunder. Cloudflare helps companies …

  1. Anonymous Coward
    Anonymous Coward

    xhml5

    Wouldn't have happened if the clients were serving xhtml5, which fails noisily in testing. You can't serve malformed CSS or JavaScript, so why accept such sloppiness from your html?

    (If you've not checked in with xhtml lately, they got rid of the boilerplate and other weirdness. It's very similar to html5 apart from not being shit soup.)

    1. DJ Smiley

      Re: xhml5

      or they could just not parse html...

      1. Destroy All Monsters Silver badge

        Re: xhml5

        Yeah.

        If only there were programming languages in 2017 that checked for buffer overflows....

    2. Anonymous Coward
      Anonymous Coward

      Re: xhml5

      > You can't serve malformed CSS or JavaScript

      ???

      In my experience, bad Javascript just fails silently. If you explicitly open up the developer console in your browser, you may see an error. Otherwise there's no indication.

  2. Anonymous Coward
    Anonymous Coward

    More CloudFog

    And yet try stopping the masses flocking to the cloud...

    1. phuzz Silver badge

      Re: More CloudFog

      How exactly would a CDN work, if it wasn't running on servers all over the world in big data centres (ie basically 'the cloud')?

      1. Anonymous Coward
        Anonymous Coward

        'How exactly would a CDN work'

        How many users have put personal / confidential info up on OkCupid / Uber / Discord, that they now regret or should regret???

        Discord in particular gets routinely abused and used for confidential chats, that should only be done by voice or in-person...

        No matter how many breaches occur, users live in self-denial. After a breach / leak / hack there's a belief that the damage dissipate and fades. Where's the evidence to support that?

        Russian hackers in particular are adept at hoovering everything using automated bot farms and filing it all away for future use.

        So keep going with the 'how else could the net work' line. Be smug! When this is really about how else should users work...

        Given that we are losing the Data Wars to Cybercrims, and no one has your back anymore!

        1. Anonymous Coward
          Anonymous Coward

          Re: 'How exactly would a CDN work'

          "Discord in particular gets routinely abused and used for confidential chats, that should only be done by voice or in-person..."

          So if they live too far away to meet in person and can't trust the phones to not be tapped, they're basically screwed?

  3. Frank Zuiderduin

    Unbelievable

    Range checking using equals instead of greater/equals... What script kiddie did they hire to code that bit? No, scratch that. A script kiddie would probably have known better.

    1. Dan 55 Silver badge

      Re: Unbelievable

      The problem is in the Ragel compiler I would have thought.

      1. wikkity

        Re: Unbelievable

        O my the compilers fault if it generated code that did not do what the source specified. The error in this car was a programmer.

        1. wikkity

          Re: Unbelievable

          Sorry, no idea what went wrong with that, possibly no beer on a Friday afternoon. I meant to say:

          Only the compilers fault if it generated code that did not do what the source specified. The error in this case was down to a programmer.

    2. Old Handle

      Re: Unbelievable

      Yeah, actually it looks like an "I know what I'm doing" kind of error. Unless there's some microsecond processing advantage I don't know about the only reason to use == would be misguided confidence that it could never be greater.

      1. patrickstar

        Re: Unbelievable

        Wouldn't be any difference in speed at all on any arch I can think of...

        In other news, this bug reminds me of MS08-067, though it ended up going past the _start_ of a buffer. See http://www.phreedom.org/blog/2008/decompiling-ms08-067/

    3. d3rrial

      Re: Unbelievable

      According to their statement it was autogenerated code.

  4. Old Handle
    Boffin

    Uh-oh

    You guys (El Reg) use cloudflare, don't you? Hope your HTML is well-formed.

    1. Gareth79

      The only difference between sites with malformed HTML and not is that the malformed sites would look like they were hosting the other site's sensitive data. Ohwait that's not good actually!

    2. oxfordmale78

      Re: Uh-oh

      W3C validator says no:

      https://validator.w3.org/nu/?doc=https%3A%2F%2Fforums.theregister.co.uk%2Fforum%2F1%2F2017%2F02%2F24%2Fcloudbleed_buffer_overflow_bug_spaffs_personal_data%2F

  5. Bronek Kozicki

    "elsewhere p becomes greater than pe" I would suggest that in the face of this happening, replacing "==" with ">=" is merely a workaround and not a proper fix. The proper fix would be to perform the same check in any location where "p" is increased (or "pe" decreased).

    With the workaround alone as implemented, the code will jump to "_test_eof" when p is already too large, which might also lead to a small leak of data.

    Anyway, a proper way to prevent bugs similar like this one from happening is to built a proper automated testing into your software development process. Since they are using a domain specific language, then perhaps unit testing might be too difficult, but nothing excuses them from not running a regression test suite (that is, as long as they do have one).

    1. Jason Bloomberg Silver badge
      FAIL

      Anyway, a proper way to prevent bugs similar like this one from happening is to built a proper automated testing into your software development process.

      The proper way is to prevent them from occurring in the first place; use a language which doesn't permit buffer overflows, doesn't have a reliance on pointers where anything could go wrong, as it so often does.

      It seems 'we' keep on using languages which allow things to go wrong and are continually surprised when things do go wrong. The lessons are not being learned.

      1. d3rrial

        Fine... I'll use more Rust in the future...

      2. Anonymous Coward
        Anonymous Coward

        Because speed sells. Garbage collection takes time most can't spare, especially in time-sensitive or highly-clustered jobs. Even garbage collection in hardware kills the speed.

  6. Bronek Kozicki

    anyone else ...

    ... had been asked to re-authenticate to their Google account, today morning? This is something referred to at the end of page El Reg linked to. Apparently not related to CloudFlare bug, but the timing is curious.

    1. MK_E

      Re: anyone else ...

      I was wondering what all that was about.

    2. fajensen
      FAIL

      Re: anyone else ...

      Nope or maybe, I have a zombie google account. My Skype account has been hacked twice, someone sending messages to all contacts on my behalf. Of course not hacked according to mickeysoft, I guess that there is another zombie coming right up.

      What happens when ones abandoned accounts get hacked and start spreading jihaddi agitprop and bomb recipes?

    3. Jamie Jones Silver badge

      Re: anyone else ...

      Yep, all my devices required relogin to google today

      1. David Nash Silver badge

        Re: anyone else ...

        Yes late last night I saw a notification on my phone that when pressed triggered a request for my Google password. Naturally suspicious ("How do I know it's Google and not malware that triggered this?) I instead closed it and went to the Google Play App. This triggered the same request, so I decided it was legit. and entered the password.

    4. Test Man

      Re: anyone else ...

      Funnily enough my wife's Samsung Galaxy S5 did last night. I checked the relevant places in My Account and saw nothing suspicious whatsoever.

      But it's very very interesting that there are other people who have also experienced the same.

  7. Destroy All Monsters Silver badge
    Thumb Up

    Nice writeup

    Should go into the "entirely avoidable IT Chernobyl events" dossier.

  8. Martin Gregorie

    In any case...

    ... why should anybody be publishing malformed HTML? Haven't they heard of HTMLtidy?

    This also applies to web authoring tool vendors, who should be using fully comprehensive, properly maintained regression test suites and making sure that the comparison outputs contain valid HTML.

    1. Marco Fontani

      Re: In any case...

      ... why should anybody be publishing malformed HTML? Haven't they heard of HTMLtidy?

      Yes, but most distributions carry a very old version which croaks horribly with the most common things naïve writers throw at it: "broken html" input (AKA "tagsoup"), and HTML5 tags :|

      Getting from "shitty tagsoup" to "well-formed HTML" is harder than it looks at first ;)

  9. John Smith 19 Gold badge
    Unhappy

    Not sure if it's Ragel or the dev whose at fault here.

    Ragel can write an FSM in C to parse a language.

    But it also allows inlining of code by the dev.

    It's not clear if the problem code was written by Ragel as part of the FSM or inserted by the dev.

    If it's the dev then problem probably solved (although you should check the rest of the codebase to see if this idom shows up again).

    If it was Ragel generated then any FSM generated by Ragel could have issues.

    1. Destroy All Monsters Silver badge

      Re: Not sure if it's Ragel or the dev whose at fault here.

      "You're reading a badly formatted HTML page. You come across an unclosed img tag right in the middle."

      "Is this testing whether I'm a bad FSM code generator or have inlined lousy code, Mr Ormandy?"

      1. Dan 55 Silver badge

        Re: Not sure if it's Ragel or the dev whose at fault here.

        "You show the code to your project manager. He likes it and posts it to the company wiki. There's a dangling pointer..."

    2. jelabarre59

      Re: Not sure if it's Ragel or the dev whose at fault here.

      It's not clear if the problem code was written by Ragel as part of the FSM or inserted by the dev.

      I could see a situation where someone was reviewing/cleaning up/tweaking code, accidentally deleted a single character, and put the wrong one back in.

    3. wikkity

      Re: Not sure if it's Ragel or the dev whose at fault here.

      Definitely the developer, cloudfare even admit that if you read the write up.

  10. ZenCoder
    Coat

    Conceptual Commentary.

    <Insert standard rant in response to trigger phrase "machine-generated code">

    <Give semi-concise real world personal example>

    <Resist urge to correct factual errors made by previous posters>

    <Choose not make expert statements because due to 50% coming from a textbook, 15% coming from limited real life experience and the rest from Wikipedia. >

    <Add an Icon>

  11. Anonymous Coward
    Anonymous Coward

    The Cloud...

    Other peoples you have no control over, and have no guarantee of your data being kept private

    1. Anonymous Coward
      Anonymous Coward

      Re: The Cloud...

      Company moved to Office 322 last year and my financial statement of this year is stored on the cloud ... I am not happy with it, however, what can I do .... I am just a serf .... I am terrified at the idea of complaining ...

    2. Roj Blake Silver badge

      Re: The Cloud...

      The security and data protection at a decent cloud company will put 99% of in-house solutions to shame.

      Emphasis on the decent.

  12. sallyho7

    Need to focus on the product/service instead of its brand

    Any company that starts to focus on themselves too much always worries me. Every time I see some big announcement about a logo redesign, I wonder how long the company will last. So is it just a coincidence CloudFlare rebranded itself at the same time as this particular fault was created? See

    https://blog.cloudflare.com/time-for-an-update/

    Concentrate on the important things first.

  13. mitch 2

    List of affected sites: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

    1. Destroy All Monsters Silver badge

      Affected

      > ashleymadison.com

      > ashleyrnadison.com

      Top kek

  14. wikkity

    Impressed

    By the way they handled this. After what seems a professional investigation they've held there hands up, assumed responsibility without trying to pass the buck and did their up most to put things right.

    Sure their testing had a gap but whoses doesn't. More tests get written for bugs than originally implemented.

  15. Anonymous Coward
    Anonymous Coward

    How much time to change passwords?

    I have 150 accounts in my password locker. It's going to take half a day to change them all.

  16. tekHedd

    They all laughted!

    I've been mocked for using >= in for loops just like this. And for using assert. And all of those "best practices" things you're supposed to do. "Oh that can never happen!" Yeah, I know. That's why I checked it, stupid.

    But that's just the problem. It's never the stupid people. It's the smart programmers who do it. It's the REALLY GOOD programmers who don't put any checks in their code, because they "know" it's good. Beware really smart programmers.

    Thank goodness I'm not very smart.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: They all laughted!

      Use violence on the mockers.

      Anyone who has code w/o asserts in it is a fscking loser.

      Same goes basically for types, but there I make an exception because the most lovely programming languages are unityped (for evidently historical reasons as they started off as fast hacks on New Ideas in the 70s).

  17. Kiwi

    Called it!

    Right about here :)

    Ok, no I didn't. But there was some teething problems with CF for me1, went away when I temporarily enabled google in noscript.

    Shame I didn't take a gander at the page code, might've seen something myself...

    1 Main issue was CF's captcha constantly coming up, then any post I made being "lost" after completing the captcha as in I was put back to blank message form, I think I also had times that it was claiming my IP was blocked - so nothing about CF spewing private data, just not working right.

  18. Anthill Beetle

    Undefined behavior anyways

    Your fix is wrong: any pointer comparison operator if one operand went out of memory location is undefined behavior in C. Either don't let it go past end of array, or switch to integer arithmetic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like