**SECURITY BREACH** User data leaking between accounts

User email addresses are leaking between Cloudflare accounts.

When defining a catch-all address on the Email Routing page, the system suggests previously unknown email addresses as the Destination address.

I initially presumed I had been hacked but now believe this is a leak of user data between Cloudflare accounts.

Today I am creating catch-alls for hundreds of domains. These unknown email addresses appear about 50% of the time.

Most of these addresses are Gmail, Hotmail etc but, occasionally, there is a private domain and, in every such case, that domain uses Cloudflare DNS. This suggests that I am seeing the email addresses of other Cloudflare users. I presume that, in turn, my email address is also being leaked to other users.

There is a theoretical risk that, knowing the specific email addresses associated with Cloudflare accounts, a bad actor could use that knowledge to target them.

My main concern, however, is that if my email address is leaked to other users, they could jump to my initial conclusion that it is a hack and possibly file a complaint with my email provider. That could get complicated but, overall, I consider the risks of this leak to be low. It just reflects poorly upon Cloudflare.

I am posting this here because the support ticket process is too user-hostile and I no longer have the patience to chase Cloudflare to fix problems that affect them more than me. Been there, done that, didn’t get the t-shirt

If other users are seeing the same leak, please add your voice here so that Cloudflare can become aware that there is a problem. That is the fastest way to get the leak fixed.

Hi @imappoet I created ticket 2496502 on your behalf and will flag this post for my Support colleagues to review. You should have received a copy of the ticket and can share whatever details on that you’d like with the Support team. I attempted to reproduce the issue in your account and was unable and hence want my Support colleagues to review.

Hi @imappoet I have alerted the team to this report and they are also unable to reproduce the error. If you get it reliably, can you share a har file reproducing the error and submit it to Support on ticket 2496502?

The destination addresses are shared between all domains on an account. Are you the only person with access to the account?

Hi Cloonan. Apologies for my delay in responding, I have been offline for the past few hours.

I have added screenshots to your ticket that fully demonstrate the glitch, and have supplied 8 unknown email addresses that I happened to take note of.

I will continue to note any more email addresses that are revealed to me.

Hi Michael.

Yes, I am the account’s only user. My 3 “real” destination addresses appear for each domain, alongside a unique unknown email address i.e. I have not seen more than one leaked email address at a time and, so far, I have not seen any individual leaked addresses appear under any of my other domains.

My domains have no previous history with Cloudflare under a different owner.

Thank you for the details. The only auto fill suggestions I see in your account on my machine are addresses I know are in my cache.

Most of the addresses you shared on the ticket do not have Cloudflare accounts and we show no record of them in any of our systems. Can you send support a har so they can see this in process? Can you perhaps try from incognito mode?

I’d suspect that if you have an address pending it’s going to show as an autofill the next time you go to add an address.

I can confirm, correct & true
Pending Destination email addresses do show up on the list of a dropdown menu.

I’m surprised the addresses are not already known to the system. Interesting, thanks for letting me know. I presumed they would at least be destination addresses used by other users.

I cannot double check on my desktop - on my phone now - but, when you say autofill, do you mean that these email addresses are coming from my browser?

My setup might be unusual, but my browsers don’t do that for forms like this. The new unknown address appears on first appearance of that section, with no input from me. In fact, in the case of a newly email-routing-enabled domain, the new email address is already selected and appears as text, not a form entry. It does not become a form until you press edit.

I have also never seen unknown email addresses just appear in forms before. I cannot think of any reason why they would be in my cache. This is happening in three different browsers, but I will try your incognito suggestion in the morning (Brazil time here).

When I first get to the section, the unknown email address is already entered but unverified as a destination address.

This is a new behavior that has not appeared when using this feature previously, or in any other part of the Cloudflare dash. I have been a heavy user for years.

I genuinely thought the Cloudflare system had to be pulling them from somewhere. I will try emailing them tomorrow, to see if they are even real addresses. Perhaps, if there are any real people behind them, one of them might know what is happening.

Yes, that is definitely happening here.

I have now also noted a pattern whereby, if I do not delete an unknown pending destination address under one domain, it appears, still pending, under the next domain and no new unknown address appears.

So, it is only when I delete one of these pending addresses that a new one is generated and inserted for the next domain.

Thanks for the report @imappoet. This has now been fixed.
A security incident has been raised internally and we’ll share more information next week.

I can confirm that the leaked email addresses are no longer appearing in my dash. Thanks to everyone involved in fixing the leak.

Funny sidenote: one of the leaked email addresses switched from pending to verified, so, presumably the real owner decided to confirm the link in the verification email he received when the Cloudflare system added his address to my Destination emails.

I don’t blame him, I would have been curious too

Here’s what happened:

On 7/6/2022, Cloudflare released a newer version of the API software that included some changes to the Catch-All rule. There was a bug in the software that left random configured destination addresses in a globally shared data object. This object was used by the auto-complete form when configuring Email Routing rules. We’ve promptly removed the offending code and are ensuring that no future code will use the same sharing pattern. In addition, we’ve gone through the existing database and cleaned up entries.

Will any users that had their email addresses inadvertently leaked be notified?

Thanks for letting us know what happened Sven.

I feel it is important to note, however, that the leaked email addresses themselves were real addresses. Your use of the phrase “random configured destination addresses” might suggest, to some, that the addresses were randomly created, with no real recipients.

I know that at least one of the addresses leaked to me was real because, as I noted in a post above, the recipient verified his address when he received the verification email from Cloudflare.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.