A Google engineer has identified and reported a critical bug in Cloudflare. This caused leaks of passwords, messages, personal information, cookies, and other sensitive data. Given the nickname of ‘Cloudbleed’, the leak was caused by a bug in Cloudflare’s code. It compromised data as far back as September 2016. Cloudflare, one of the biggest internet security and content distribution companies, has now fixed the bug.
Travis Ormandy, a security researcher for Google’s Project Zero, identified and reported the security threat via Twitter on February 18. But the bug had been causing leaks for almost 6 months already. Most of the damage happened between February 13 and February 18. During the peak period, about one in every 3,300,000 HTTP requests caused sensitive data to leak. With the problem being undetected for several months, the Cloudbleed bug is a big deal. Especially if you consider the fact that Cloudflare provides services for some of the biggest companies today. This also means that a large number of users don’t know how much of their personal data (if any) has been compromised.
What is Cloudflare?
In order to get a better picture of the extent of damage Cloudbleed has potentially caused, one should just check who their clients are. Uber, FitBit, Cisco, OKCupid, Zendesk and 1Password are just a few. Cloudflare started out as an app for tracking down the source of spam. But now, it describes itself as a “web performance and security company”. It provides a wide range of services for websites. Some of these services include web optimization features, reliable domain name server (DNS) services, and protection against direct denial of service (DDoS) attacks.
How did Cloudbleed happen?
Cloudflare provides internet security services for some of the most popular websites today, so how could a leak happen? It seems that a single coding error in Cloudflare’s code has caused the bug. According to the company’s official blog post, their edge servers were running past the end of a buffer. These were also returning memory that contained private information. This data included HTTP cookies, HTTP POST bodies, URI parameters, JSON for API calls, authentication tokens, and other sensitive information. What made it even scarier was that some of that leaked data were cached by Google, Yahoo, Bing, and other search engines through their normal crawling and caching services.
Tavis Ormandy reported that he was able to find private messages from major dating websites and online password management data. There were also frames from adult video sites, hotel bookings, and full messages from a well-known chat service. Not only that, client IP addresses, keys, and a lot of other sensitive information were leaked, too.
Based on reports, it appears that Cloudbleed works similarly to Heartbleed because it leaks data during certain processes. And because it affects a common security service used by a large number of websites, Cloudbleed could affect as many users as Heartbleed.
To get a more detailed explanation on the Cloudbleed bug, check out this official blog post from Cloudflare.
Are you affected?
There is no definitive data on who and how many users have been affected by Cloudbleed. Currently, some websites using Cloudflare’s services have acknowledged that they have been directly affected. OKCupid, Uber, and FitBit have reportedly been affected, while 1Password was not put at risk (as announced by Cloudflare on Twitter). However, the leak started almost six months ago and thousands of other sites can potentially be affected, so there is no telling yet what amount of data has been compromised. Another worry is that Cloudflare helps to securely move data on secure websites from users to servers. The Cloudbleed bug has caused some of this sensitive information to be saved unexpectedly when it should not have been. And as if that wasn’t enough of a problem, Google, Yahoo, and other search engines cached this sensitive data.
There has been no recent reports about hackers gaining access to this sensitive information. And Cloudflare responded quickly and stopped the bug in just 47 minutes after Tavis Ormandy reported the leak. The problem was fixed completely in just 7 hours when it usually could have taken months. Cloudflare also ensured that any sensitive information cached by search engines was completely scrubbed from caches to avoid hackers and other third parties from accessing any sensitive data. However, thousands of widely used sites have been affected so it would be wise to take security measures.
What action should you take?
Whether you use the websites included in Cloudflare’s client list or not, securing your passwords and private information is a must. If an online security company like Cloudflare, which is trusted by some of the most popular websites today, can still experience bugs and security leaks, then nothing can be a hundred percent foolproof and secure when it comes to online information. The best course is to take action now.
- Check which websites have been affected by Cloudbleed and identify which ones you use frequently and have accounts with. Contact the companies of the sites and services you use to let them know about your security concerns. Knowing that their customer and users are affected and concerned could encourage them to work harder in securing their websites.
- Change all your passwords. Whether there is a new security leak or not, changing your passwords regularly should be a habit.
- Use two-step verification or two-factor verification for all website services if given as an option. This feature requires you to submit extra information when you log in as an extra layer of verification. Sometimes you will receive a numeric code texted to your mobile phone. This ensures that even if someone were to get a hold of your password, they won’t be able to access your accounts.
- Use unique passwords for each of your online accounts.
Here are more wise tips on how to protect your passwords, identity, and other sensitive data online.
You cannot predict what happens to websites and companies like Cloudflare that are supposed to secure them. But you can take action and use all the extra measures available to protect your own online accounts and sensitive information.