Google researchers discovered a new online security vulnerability in February 2017, and early indications are that it has potentially triggered over a million data leaks. Named Cloudbleed, this security concern affected thousands of sites including several large ones.
So what exactly happened, and how does it affect you? Let’s take a look at Cloudbleed and examine what led up to this latest threat to data security.
The issue started with CloudFlare, an internet service and content delivery company serving as the security backbone of 5.5 million websites. If you use the internet, chances are you regularly visit sites that use CloudFlare’s services.
On February 19 2017, Google Project Zero researcher Tavis Ormandy discovered a security flaw which allowed him to gain access to secure user data such as passwords from sites using CloudFlare. He named it Cloudbleed as a nod to 2014’s Heartbleed vulnerability.
The security flaw was accidentally introduced during a software code update in September 2016. Between that time and when the bug was discovered, it is estimated that as many as 3,400 websites were affected, although in truth any of the 6 million websites in the network may have been exposed.
According to the CloudFlare blog post on the incident, “…Our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.”
In simpler terms, the flaw allowed private data to leak where it was not supposed to, bleeding from one secure area to another and which could have been exploited with the right extraction techniques.
While the vulnerability was quickly patched, Cloudbleed’s five-month window saw the bug being triggered 1,242,071 times. However, most experts agree that it seems to have been caught before any malicious activity occurred. Still, CloudFlare continues to investigate to ensure that it does not happen again.
Major sites such as Uber, Medium, OKCupid, FitBit and Yelp are believed to have been affected. Although no credit card or financial information was thought to have been exposed — though other sensitive information may have been compromised.
Tavis Ormandy wrote that he discovered “private messages from major dating sites, full messages from a well-known chat service, online password manager data,” among other data.
The key threat to this kind of vulnerability is that whenever passwords are potentially leaked, they can be the virtual keys to access even more critical data. Since most people protect their data with passwords, they can leave themselves open to devastating data loss.
It is important to change your passwords regularly, taking care not to reuse them since it makes it easier for would-be data thieves to access your information. As well, taking advantage of two-factor authentication where offered can go a long way to mitigating the risks from a security vulnerability like Cloudbleed.