Cloudflare, a content delivery and security service, announced a major bug has been discovered that may have exposed users sensitive data on millions of websites. The bug, dubbed ‘Cloudbleed’, was discovered in Cloudflare’s content optimization systems. Exposed data includes passwords, session cookies, authentication tokens and even private messages. The consequences are considerd extremely dangerous. Web users are urged to change their passwords on ALL websites immediately!
You may not have heard of Cloudflare but it is one of the world’s largest Internet security companies. Cloudflare’s technology is running on millions of websites and in Fortune 500 compnaies. Cloudflare describes itself as a “web performance and security company.”
Cloudfare’s systems modifies HTML pages passing through its servers in order to rewrite HTTP links to HTTPS. This process hides certain content from bots, conceals email addresses, enables Accelerated Mobile Pages (AMP) and more. Cloudflare’s clients include huge companies like Uber, OKCupid, FitBit and 1Password. 1Password claims its user data is safe. But with the millions of websites using the service it makes this bug an extremely serious threat. The result is that massive amounts of sensitive data has potentially been compromised.
The data leak was accidently discovered on February 18th by Google security engineers. They immediately alerted Cloudflare. The company responded by quickly assembling an incident response team and shut down the feature causing most of the data leakage within hours. By the 2oth a complete fix was in place. The rest of the time, until the incident was publicly revealed, Cloudflare worked with search engines like Yahoo! Bing and Google to remove the sensitive data from their caches.
According to a blog post from John Graham-Cumming, Cloudflare’s CTO, the leaks could have been going on since September 22. However the period of greatest impact was between February 13 and February 18, when the email obfuscation feature was being migrated. Cloudflare estimates that around one in every 3.3 million HTTP requests that passed through its system potentially resulted in memory leakage. That equals roughly 0.00003 percent of all requests.
But that does not negate the seriousness of the data leak. Sites that don’t use Cloudflare’s service, but have a lot of Cloudflare users, might have compromised data on their servers. This means the problem has spread all over the Internet.
In an interview with Gizmodo Cloudflare CEO and co-founder Matthew Prince said, “This is a big deal for us. This is a really bad bug. This is something that our customers should be very cognizant of and should take very seriously.”
Everybody that uses any website is strongly urged to change your passwords immediately. As in right now!