What You Need to Know About the Cloudbleed Bug
Cloudbleed is the name of the newest wide-reaching security flaw that has recently affected the internet, exposing the private information of millions of users worldwide. A flaw in the popular Cloudflare Content Delivery Network (CDN), which provides DDoS protection to some 5.5 million websites, including Medium, Feedly, FitBit, TransferWise, Zendesk, OK Cupid and more.
Cloudflare accidentally leaked mass amounts of sensitive user information, including passwords, private messages, hotel bookings, and more between September 2016 and February 18th of this year. The leak has been named ‘Cloudbleed’. Security researcher at Google, Tavis Ormandy, identified the vulnerability, which is the result of a software bug in their code, known technically as a buffer overrun. According to a blog post from Cloudflare, “our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data” and that they have not found “any evidence of malicious exploits of the bug or other reports of its existence.”
While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations.
There is always the potential someone malicious discovered this vulnerability independently and before Tavis, and may have been actively exploiting it, but there is no evidence to support this theory. Unfortunately, it is also difficult to conclusively disprove. The most sensitive information leaked is authentication information and credentials. A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced.
The root cause of the Cloudbleed vulnerability was that “reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer.” “Had the check been done using >= instead of == jumping over the buffer end would have been caught,” said Cumming.
Cloudflare has also confirmed that the greatest period of impact was between February 13 and February 18 with almost one in every 3,300,000 HTTP requests via Cloudflare potentially resulting in memory leakage, which is about 0.00003% of requests.
However, the researcher argued that the DNS provider was double-dealing, claiming that the Cloudbleed vulnerability had existed for months, based on Google’s cached data.
Cloudbleed also affects mobile apps, because, in many cases, the apps are designed to make use of the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.
So is Cloudbleed worse than Heartbeat?
At this point, no. Heartbleed affected half a million websites, whereas at this time only 3,400 websites are believed to have had the Cloudbleed bug. But here’s the potentially scary part. Those 3,400 websites leaked private data that came from other Cloudflare clients. So the actual number of websites actually affected could be much higher.
What you should do?
First and foremost, change your website passwords—all of them. Because Cloudflare’s CDN services are in use by the internet’s most prominent brands, users of all major websites should change their passwords immediately. However, a larger problem exists with cached data residing with search engines like Google, Bing, and Yahoo. These and other major search engines have reportedly been working to clear the cached breach data, causing initial delays in the bug notification. As it stands, leaked data could still potentially be cached by the world’s leading search engines.
Experts also recommend resetting two-factor authentication tokens for accounts where it’s enabled, since 2FA codes may have been compromised. If you haven’t enabled 2FA yet, make sure you do so for all of your accounts whenever it’s available.
Only time will tell what the true fallout of Cloudbleed will be, and hopefully it won’t be too bad. But it’s already too late to stop it, so take what measures you can.