A researcher from Google’s Project Zero published the details of Cloudbleed, a bug that sees Cloudflare reverse proxies dump uninitialised memory, with the vulnerability undetecable by mobile app security testing.
With Cloudflare’s network serving over 2 million websites there is potential for data from any of these to be exposed, although this is speculative it is wise to take the view that your data was potentially compromised from September 2016 until 20 February 2017. Some of the data was also publicly cached in search engines that are now clearing the cache.
The potential range of information being dumped includes confidential information (emails, private messages), user identity information (Personally Identifying Information, as well as Protect Health Information), as well as user, application or device credentials (passwords, API keys, authentication tokens etc.)
Catch Cloudbleed with mobile app security testing?
Since this issue is related to infrastructure there is no way to do mobile app security testing for the issue, however, with many mobile apps using the same backend as their parent website for content and HTTPs termination, there were questions over which mobile apps were affected.
Research from mobile app security testing company, NowSecure, looked at 200 iOS apps from a sample of 3,500 to see whether these mobile apps were also affected. A number of mobile apps such as ABC News, Breitbart, CNN, Dropbox, and Microsoft Outlook use Cloudflare and users on HackerNews confirming HTTP header data from apps such as Discord, FitBit, and Uber was cached, showing the a number of apps were compromised.
What do I do?
If you’re a user of one of the affected apps change your passwords now. If you built an app that uses Cloudflare for hosting check online for any data cached by search engines for leaked user and session data, and require your users to change their passwords.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.