This post was originally published here.
On February 18th, 2017, Google security researchers discovered a massive leak in Cloudflare’s services that resulted in the exposure of sensitive data belonging to thousands of its customers. Here’s what you need to know about the Cloudbleed bug and what can be doneĀ to protect your data.
Background
Cloudflare is a leading provider of content delivery network (CDN) and internet security services used by Uber, OKCupid, Upwork, and Digital Ocean, among others. Google Project Zero’s Tavis Ormandy first discovered and reported the bug to Cloudflare on February 18th;Ā less than an hour later, services using the faulty parser in questionāemail obfuscation, Server-side Excludes, and Automatic HTTPS Rewriteāwere disabled. Cloudflare was able to subsequently deploy a patch worldwide 6 hours later.Ā Like 2014’s OpenSSLĀ Heartbleed bugĀ (also discovered by Google’s security team), Cloudbleed involves a buffer overflow vulnerabilityĀ that results in web session leaks and private data exposure.
Full details are available viaĀ Cloudflare’s blog postĀ regarding the Cloudbleed bug.Ā
Who’s Affected
Per Cloudflare,Ā “the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.”Ā The company has stated that overĀ 1,000 domains may have been compromised, thoughĀ this listĀ of potentially impacted websites is vastlyĀ more extensive. Other web properties affected include authy.com, medium.com, 4chan.org, yelp.com, zendesk.com, and uber.com, to name a few.
UpGuard users areĀ notĀ affected by the Cloudbleed bug, as we only use Cloudflare for simple DNSĀ services and DNSSECāthe flaw in question primarily impacts users ofĀ Cloudflare’s Scrapeshield solution. Popular websites such as Uber.com and OKCupid.com have already notified users about the Cloudbleed flaw and have prompted them to change their passwords.Ā
How to Protect Yourself from Cloudbleed
First and foremost, change your website passwordsāall of them. Because Cloudflare’s CDN servicesĀ areĀ in use by the internet’sĀ most prominent brands, users of all major websites should change their passwords immediately. However, a larger problem exists with cached data residing with search engines like Google, Bing, and Yahoo. These and other major search engines have reportedly been working to clear the cached breach data, causing initial delays in the bug notification. As it stands, leaked data could still potentially be cached by the world’s leading search engines.
And if you’re not using Cloudflare, don’t breathe a sigh of relief just yet: your enterprise could still beĀ vulnerable to Cloudbleed via third parties, as vendorsĀ impacted by the flaw could potentially leak privileged data belonging to bothĀ itself and itsĀ partners. Cloudbleed illustrates the inherent fragilityĀ of today’s digital supply chains and how flaws in third party code can introduce vulnerabilities into the most secure systems, potentially damagingĀ the world’s most trusted digital brands.Ā Try out UpGuard’s resilience platform today and find out how partners and third party vendors are impacting your cyber resilience posture.
