On February 18th, 2017, Google security researchers discovered a massive leak in Cloudflare's services that resulted in the exposure of sensitive data belonging to thousands of its customers. Here's what you need to know about the Cloudbleed bug and what can be done to protect your data.
Cloudflare is a leading provider of content delivery network (CDN) and internet security services used by Uber, OKCupid, Upwork, and Digital Ocean, among others. Google Project Zero's Tavis Ormandy first discovered and reported the bug to Cloudflare on February 18th; less than an hour later, services using the faulty parser in question—email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrite—were disabled. Cloudflare was able to subsequently deploy a patch worldwide 6 hours later. Like 2014's OpenSSL Heartbleed bug (also discovered by Google's security team), Cloudbleed involves a buffer overflow vulnerability that results in web session leaks and private data exposure.
Full details are available via Cloudflare's blog post regarding the Cloudbleed bug.
Per Cloudflare, "the greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage." The company has stated that over 1,000 domains may have been compromised, though this list of potentially impacted websites is vastly more extensive. Other web properties affected include authy.com, medium.com, 4chan.org, yelp.com, zendesk.com, and uber.com, to name a few.
UpGuard users are not affected by the Cloudbleed bug, as we only use Cloudflare for simple DNS services and DNSSEC—the flaw in question primarily impacts users of Cloudflare's Scrapeshield solution. Popular websites such as Uber.com and OKCupid.com have already notified users about the Cloudbleed flaw and have prompted them to change their passwords.
How to Protect Yourself from Cloudbleed
First and foremost, change your website passwords—all of them. Because Cloudflare's CDN services are in use by the internet's most prominent brands, users of all major websites should change their passwords immediately. However, a larger problem exists with cached data residing with search engines like Google, Bing, and Yahoo. These and other major search engines have reportedly been working to clear the cached breach data, causing initial delays in the bug notification. As it stands, leaked data could still potentially be cached by the world's leading search engines.
And if you're not using Cloudflare, don't breathe a sigh of relief just yet: your enterprise could still be vulnerable to Cloudbleed via third parties, as vendors impacted by the flaw could potentially leak privileged data belonging to both itself and its partners. Cloudbleed illustrates the inherent fragility of today's digital supply chains and how flaws in third party code can introduce vulnerabilities into the most secure systems, potentially damaging the world's most trusted digital brands. Try out UpGuard's resilience platform today and find out how partners and third party vendors are impacting your cyber resilience posture.