• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Cloudbleed – Bandaging the Buffer Overflow

March 10, 2017 Posted by Scott Goodwin Cybersecurity, IT Security

Researchers at Google have uncovered a vulnerability affecting a leading content delivery network (CDN) provider. Users of websites belonging to Uber, OKCupid, and others may have been affected, meaning that some personal information may have been inadvertently shared with other users. The list of potentially affected domains  is available. While it is unlikely that any single account has been compromised as a result of this discovery, it is recommended that users with accounts for any of the affected sites change their passwords.

Some vulnerabilities are easier to identify than others. For instance, an internet-facing router or firewall with default credentials can be easily discovered and exploited by an adversary. However, in this case, the identification of the Cloudbleed vulnerability required a much more complex set of tools and techniques. These technical vulnerabilities may go undiscovered in production software for months, or even years. When vulnerabilities like these are finally discovered, they put a potentially widespread customer base at risk. It’s likely that highly technical vulnerabilities which might exist in applications or software designed for internal use may never be discovered. However, when that software is exposed to the internet, there is a constant threat of exploitation from malicious users all over the world. Systems that are exposed to the internet are continually poked and prodded by security researchers and hackers alike.

On February 17th, 2017 Google’s Project Zero team announced the discovery of a technical vulnerability affecting a popular Content Delivery Network provider, Cloudflare. The Cloudflare service acts as an intermediary between clients and servers on the internet, increasing performance and inbound traffic. Cloudflare is a ubiquitous service used by heavyweights like Uber, OKCupid, FitBit, and 1Password. Because each of these companies is using the same CloudFlare infrastructure, each was affected by the vulnerability.

Here’s the problem: in certain cases, requests sent to Cloudflare’s servers would elicit an unexpected response. It turns out that a small percentage of requests were being parsed improperly, and this caused the server to return random chunks from memory back to the user. This is known as a buffer overflow vulnerability. Because sensitive data may be stored in memory, such as session tokens, passwords, encryption keys, and browsing data, what was improperly returned to the user could have contained sensitive information about other users, even users on other sites.

Security researchers uncovered this vulnerability using a technique known as “fuzzing”. This technique automates the sending of requests, and the analysis of the associated responses from web servers on the internet. By sending many different requests, researchers were able to identify those requests that successfully exploited the vulnerability. By bombarding the server with these types of requests, it would be possible to retrieve significant portions of the server’s memory.

Some of the returned memory chunks were cached by browsers and search engines, meaning that whatever information was leaked may still be floating around on the internet. It is recommended that users of the affected sites change their passwords, just to be on the safe side, although it is rather unlikely that the vulnerability was exploited maliciously at any point before it was officially disclosed.

This demonstrates the need for enhanced, security-focused testing of any systems that are exposed to the internet. Further, it is crucial to implement vulnerability management and incident response programs internally, and to integrate external service providers with this program, wherever possible. After all, technical vulnerabilities like these sneak past development teams and IT support teams all the time, so it is vital to have a response strategy, rather than relying on the integrity of any software platform.

Tags: cloudCYBERsecurity
Share
0
Scott Goodwin

About Scott Goodwin

Scott manages the Information Security Advisory Services practice within OCD Tech. Prior to joining the firm, he graduated from the University of Massachusetts Boston with a degree in Physics. Scott’s primary engagements include security advisory services, and security assessments against industry standard frameworks including NIST 800-53 and the NIST Cybersecurity Framework, as well as NIST 800-171 assessments for multiple clients in the defense and aerospace sector. Currently, Scott oversees many technical engagements, including vulnerability assessments, and is a lead penetration tester for OCD Tech.  Scott is directly responsible for the identification of three (3) previously unknown vendor software vulnerabilities which have been registered with Mitre’s Common Vulnerabilities and Exposures (CVE) database as CVE-2018-11628, 2019-7004, and 2019-19774.  Scott is also the key developer on the OCD Tech open source discovery platform, Scrapy. The platform identifies public domain information and provides reporting and alerting for OCD Tech clients upon discovery of key sensitive company/personal information.

You also might be interested in

Are You Ready to Be Audited by the DoD?

Are You Ready to Be Audited by the DoD?

Dec 12, 2018

If you are a prime or subprime contractor to the Department of Defense, chances are pretty good that you've heard of the DFARS clauses 252.204-7008...

password access in will

Where do your Passwords go when you Die?

Feb 27, 2018

Where do your Passwords go when you Die? Christopher J.[...]

Vulnerabilities in the Cloud: Whose Responsibility is it Anyways?

Vulnerabilities in the Cloud: Whose Responsibility is it Anyways?

Aug 23, 2018

Many organizations are rapidly moving to the cloud for hosting everything from their products and services to their corporate infrastructure.

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next