State and Federal Customers Evade Cloudbleed Bug

Questions about whether Cloudflare's breach had an effect on public-sector data have been answered — officials say no signs of foul play are evident.

by / March 1, 2017

When news first broke about last week's “Cloudbleed” leak, the cybersecurity community panicked. What did the news mean? What is the total exposure?

At that point in time, all we knew

was that an unforeseen bug caused a memory leak that was potentially exposing private information through malformed websites. This information included things like authentication tokens, cookies and other sensitive data, but company officials say the bulk of the information was internal headers and certificates.

Following the a notification through Twitter from Google Project Zero’s Travis Ormandy, teams began to investigate, mobilizing their response in only 47 minutes.

A few days later — five, to be exact — the smoke seems to have cleared; those piloting Cloudflare, the Internet security company at the center of the incident, through the aftermath are confident that any damage has been relegated to bits of fairly indecipherable data. While they fully admit the bug was a serious issue, officials say they are confident in their timely response and cleanup efforts.

Marc Rogers, head of information security for Cloudflare, said that while much of the information that came out as a result of the bug was not easily decipherable, the potential for misuse is a concern on some levels.

“In our search we specifically analyzed all of the data we looked at for sensitive things, and we did not find any Social Security numbers, we didn’t find any passwords and we didn’t find any credit card numbers,” he told Government Technology. “There is obviously still the risk of something like that out there, but we searched many thousands of examples, and I believe this last week and weekend, the whole Internet has now been searching, and we’ve yet to hear of a single example of this being found.”

With around 5.5 million customers reported worldwide, the incident was bound to intersect with the public sector at some level. Though the company could not disclose the public-sector customers it works with, per policy, Cloudflare officials broadly acknowledged that state and federal organizations do use their services.

As the head of Policy and General Counsel, Doug Kramer explained that searches for sensitive data have so far turned up more than 150 cases. Of those cases, he said, none was tied to Cloudflare's public-sector clients.

“I can tell you that none of those 150 customers are a public-sector customer. That’s not to say that they may not have been impacted because over time, the caches have cleared and turned over, the logs have turned over, so we can’t see absolutely every episode of this. But of the stuff that is available to us, we haven’t seen any impact on public-sector customers.”

While looking into early reports of the incident, Government Technology discovered at least two state Cloudflare clients through a third-party search engine tool — Arizona and Missouri.

Though we were unable to confirm Missouri’s relationship, a spokesperson for Arizona’s Strategic Enterprise Technology agency confirmed that the state had been contacted by the company and none of the websites in question were affected.

“We are aware of the situation and were notified by Cloudflare that none of the state of Arizona websites behind our Cloudflare account were affected," the spokesperson said via email. "As always, we are diligent about cybersecurity and we continue to monitor the Cloudflare situation.”

Rogers and Kramer both said that the company is working closely with the affected customers to create appropriate mitigation plans. In addition, the team is working with search engine companies to clear caches that might hold remnants of any sensitive data.

“Our general recommendation is that people sort of roll over a lot of those persistent secrets in their internal authorization tokens just to address that concern, but those are the kinds of things we have been talking to people about,” Kramer explained.

“This is not someone who was coming to get a treasure trove of information. It was a situation where this information was inadvertently leaked and displayed to people who weren’t looking for it, probably didn’t know what they were looking at, and even if they did know what they were looking at, in most circumstances it would have looked like a bunch of gibberish."
Eyragon Eidam Web Editor

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as  assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.