Today, Google’s Project Zero team published details of a bug that causes Cloudflare reverse proxies to dump uninitialized memory. People are beginning to call the bug “Cloudbleed.” This is a big deal, and the Cloudflare Cloudbleed bug affects mobile apps.

What is the Cloudflare Cloudbleed bug?

According to a Cloudflare incident report, the bug affected “e-mail obfuscation, Server-side Excludes and Automatic HTTPS Rewrites,” which means it impacted a wide spectrum of customers and services. Some 2 million websites on the Cloudflare network may be affected. Some of the leaked data includes HTTP headers related to basic authorization, OAuth tokens, usernames, and passwords!

How does the Cloudbleed bug affect mobile apps?

Mobile applications are potentially impacted because in many cases they are designed to make use of the same backends as web browsers for content delivery and HTTPS (SSL/TLS) termination. Users on Hacker News have confirmed the presence of HTTP header data for apps such as Discord, FitBit, and Uber by searching through search engine caches with targeted search terms.
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” which is chilling. This issue is possibly worse than the Heartbleed bug because this time the leaked data has been cached throughout the Internet (or “sprayed into caches all across the Internet,” as one Hacker News commenter put it) by various search engines including DuckDuckGo, Baidu, and Google throughout the lifetime of the bug. Search engines constantly crawl the web and Cloudflare customer data leaks would be part of the data the engines cache.

What should I do about the Cloudbleed bug?

Due to the cached data, cleaning up the mess may, unfortunately, take quite a while. If I were responsible for a service that has ever used Cloudflare, I would scour the web right now to proactively search for leaked authentication tokens and user credentials before the rest of the Internet makes use of them. Once I identified that leaked information, I’d be sure to terminate related sessions and require password changes for affected accounts.

Data sample including potentially affected mobile apps

Interestingly, as part of our mobile app security testing and the NowSecure Intelligence engine that powers our mobile app reputation service, we collect dynamic analysis data for hundreds of thousands of popular apps from the Google Play and Apple App Store. I ran a quick query to see what iOS apps use Cloudflare services and may have been impacted by this bug.  So far, researchers have identified leaked data associated with the FitBit Android, Uber, and Discord apps. Below is a screenshot with detailed information from our engine.

 

List of potentially affected iOS apps

Below is a list of 200 iOS apps that I’ve identified as using Cloudflare services from a sampling of approximately 3,500 of the most popular apps on the app store (about five percent of the popular free apps we sampled), and we recommend users take precautions, proactively resetting passwords or otherwise monitoring account activity closely as cleanup is underway.

What to read next:
David Weinstein NowSecure CTO

David Weinstein

linkedin icon twitter icon

CTO at NowSecure

David has been knee-deep in advanced computer and mobile security research for more than 12 years. As a breaker and builder, he is passionate about solving customer challenges through innovation, teamwork and rigorous engineering practice.

David has developed ground-breaking techniques and technologies, spoken at numerous security conferences as an industry expert, and organized a dream-team of security researchers with world-class development and prototyping capabilities. David has spoken and written on a diverse range of topics from envisioning the defensive capabilities of a smart phone charger at IEEE Security and Privacy, to exploitation techniques and the impact of corporate espionage via mobile device compromise at Troopers and RSA conferences.

David and his team have discovered critical vulnerabilities, novel attack vectors, and publicly disclosed vulnerabilities impacting millions of devices and users worldwide. Members of the NowSecure research team are incredibly prolific, having developed popular open source tools and projects in the mobile security space including Frida, Radare and the Android Vulnerability Test Suite.

David previously served in security and vulnerability research roles at MITRE, the Institute for Defense Analyses, and Pitney Bowes. He has been granted two patents solving thin-client computing and mobile security challenges and has multiple patents pending. David holds a Bachelor’s degree in Computer Systems Engineering and Computer Science from Rensselaer Polytechnic Institute.