A bug in the code of California-based Cloudflare’s software appears to have leaked data from perhaps as many as four million domains of the six million websites that using Cloudflare’s performance enhancement, SEO and security services.
Any requests to websites with the HTML rewrite features enabled, triggered the software bug, which then leaked personal data from any other Cloudflare proxy customers that were in memory at the time, to random requesters.
What Kind of Data Was Leaked?
The kind of personal customer data that was leaked included session tokens, passwords, private messages (perhaps including private messages sent on dating sites), API keys, and possibly even credit card details. The full scope of the leaked data is not yet known.
When ... and For How Long?
The problem, which was discovered and reported by Tavis Ormandy (a Google researcher), resulted in data being leaked (accidentally) over the last six months by data-crawlers and regular website users downloading files and visiting sites. The worst period for the leak is thought to have been between February 13th and February 18th. During this time, it is believed that a memory leakage took place for 1 in every 3,300,000 HTTP requests through Cloudflare.
Although the leak itself was bad enough, it has been compounded and made much more difficult to clean up because :
- The leak contained cookies and authentication codes. This means that users can’t clean all of up the mess by themselves, but need website administrators to take action too.
- Search engines cached the leaked data, thus making it a lot more difficult and time consuming to clean up. For example, authentication cookies for sites affected by ‘CloudBleed’ can be found in web searches. These could potentially allow someone to log into a website without a password, posing as a regular user. To their credit, it has been reported that many search engines including Google, Yahoo, and Bing did what they could to scrub the data before news of the bug was publicly announced.
Data from many popular websites is believed to have been leaked. Websites affected include Uber, Fitbit, Ok Cupid, and Yelp.
Do Hackers Have The Leaked Data?
Security commentators say that, to this point, there is no evidence to suggest that the data has fallen into the wrong hands or is being used by hackers.
What Does This Mean For My Business?
The advice from security commentators is to first check whether details of you / your business may have been leaked by checking the list of domains for that appear to have been affected by the Cloudflare leak. These domains have been posted online here : https://github.com/pirate/sites-using-cloudflare
Other actions that you can take include :
- Ask your vendors and sites to reset / rotate all session tokens.
- If you use websites that have a link / button that allows you to log out of all active sessions, click on it. Then, do the same thing again in week or two week’s time.
- Check your password managers and change all of your passwords, especially those on the named affected sites.
- Make sure that you set up two-factor authentication on important accounts.
- Rotate API keys and Secrets.