February 24, 2017

Cloudflare is used by millions of websites on the Internet to add security and scalability to existing web properties. Now a bug in Cloudflare itself effected the opposite, and caused data to leak from possibly any or all Cloudflare customers through no other fault of their own.

To the credit of Cloudflare, as soon as they were made aware of the problem, they have quickly addressed the issue and have transparently documented and announced what happened in all its technical details. The Internet community has obviously taken immediate notice as well, and a complete list of all sites using Cloudflare (which are all potentially compromised due to the bug) was also collected and published.

Note that the wording used here is "potentially" or "possibly" compromised, because due to the somewhat random nature of the occurrence of the bug (these were buffer overruns, for those of you who appreciate what that means), no one can really know what data exactly leaked and where, and who was able to see it. And since that is the case, the public has been advised to change all credentials on all affected sites, as well as all credentials on other sites as well if you happened to use the same passwords across different sites. Now that's a lot of work ... Change all passwords ... Again.

The links above lead to documents that are very much meant for geeks. But especially if you just look at the latter link and simply scroll down, you will notice a very long list of websites that are possibly affected (well, actually the list you see there is just the highlights, and since it's a little bit hard to collect them all, these lists are probably not complete). The lists are like that because Cloudflare is extremely popular. The "full list" behind that link lists 4.2 MILLION domains. All using Cloudflare. All possibly compromised. And yes, in case you were wondering: YOU use a lot of those sites. Believe me.

Good luck to us. So yes, please, everyone: Change all your passwords. Again. Better safe than sorry.

It is no secret that in my security related talks I have many times subtly reminded people that "adding security" by simply plugging in an additional external service (particularly Cloudflare) does not solve anything. This is just living proof of that. In fact, architecturally speaking, it is a really bad idea to add more software to the mix. As we saw, here, adding Cloudflare to an existing site actually increased the attack surface, and added more potential vulnerabilities. And unfortunately, in this case, that "potential", became a reality.

(I'm not going to dive into the technical details here and now, but reading the technical description of the root cause of the issue and the overall Cloudflare infrastructure brought me to a lot of face palms... Despite the fact that they do continue to have my full respect for the transparency and professionalism with which they handled the issue. But it really comes to show how "adding security" by subscribing to yet another service indeed increases the attack surface and therefore reduces security.)

For my friends in IT, system architecture and software engineering practices, once again, please, let's secure our solutions by simplifying the solution, not by adding complexity. If you can throw money at an engineering problem, then it's probably not the right solution.

Share this article: