Connect with us

Hi, what are you looking for?



Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers

Gaps in Cloudflare’s security controls allow users to bypass protections and target others from the platform itself.

Gaps in Cloudflare’s security controls allow users to bypass customer-configured protection mechanisms and target other users from the platform itself, technology consulting firm Certitude warns.

The issue, the company says, arises from the shared infrastructure that all Cloudflare tenants have access to, allowing malicious actors to abuse the trust customers place in the platform’s protections to target them via Cloudflare.

A major cybersecurity vendor offering web application firewall (WAF), bot management, and distributed denial-of-service (DDoS) protections, Cloudflare relies on a network of reverse-proxy servers to inspect all traffic headed to customers’ web servers for malicious activity.

According to Certitude, because traffic originating from Cloudflare’s own infrastructure is considered trusted by default, it is not passed through the configured reverse-proxy servers, as is traffic from other parties.

Because of that, the consulting firm says, an attacker registered with Cloudflare can target other users on the platform, essentially bypassing the platform’s protections.

One gap Certitude discovered is related to the ‘Authenticated Origin Pulls’ on Transport Layer mechanism, which relies on a Cloudflare SSL certificate for authentication.

When setting up the authentication mechanism to their web servers (origin servers), customers can opt for using a Cloudflare certificate or for using their own certificate.

However, because the available options are insufficiently documented, and because a custom certificate can only be used with an API, “it is reasonable to assume that customers will opt for the more convenient choice of using the Cloudflare certificate,” Certitude notes.

Advertisement. Scroll to continue reading.

The use of a shared certificate means that all connections originating from Cloudflare are permitted, regardless of the tenant initiating them.

A similar gap was identified in the ‘Allowlist Cloudflare IP addresses’ on Network Layer mechanism, which blocks connections originating from outside Cloudflare’s IP ranges, but permits all connections from within Cloudflare’s infrastructure.

“An attacker can establish a custom domain with Cloudflare, direct the DNS A record to the victims IP address. Next, they disable all protection features for that custom domain and route their attack(s) through Cloudflare’s infrastructure, effectively bypassing the protection features that the victim has configured,” Certitude explains.

The consulting firm has published a proof-of-concept (PoC) demonstration of these issues and recommends the use of custom certificates for connection authentication and the use of Cloudflare Aegis to mitigate the gaps.

Certitude says it reported the issues through Cloudflare’s bug bounty program in March, and that its report was marked as ‘informative’ and closed without a fix. A Cloudflare spokesperson has yet to respond to SecurityWeek’s request for a statement.

Related: Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft

Related: Cloudflare Unveils New Secrets Management Solution

Related: Record-Breaking 71 Million RPS DDoS Attack Seen by Cloudflare

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.