On February 17, #Tavis Ormandy, a Google vulnerability researcher and security analyst, discovered a bug in Cloudflare's code which leaked users' private data such as passwords, messages, cookies, and more from potentially thousands of websites such as #Uber, Fitbit, and OKCupid.

What is Cloudbleed?

Dubbed as #Cloudbleed, Ormandy flagged the issue in a post on Google's Project Zero's online project board. The issue was so serious, Ormandy stated in the post that he had to cancel his weekend plans so he could go into the office and build a tool to help clean it up.

Ormandy's post states, "I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.

Advertisements
Advertisements

We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

According to Ormandy, Cloudflare quickly resolved the issue but apparently the bug had been undetected for several months.

How scary is Cloudbleed?

To the general public, Cloudflare is probably not very known but the fact that many popular websites are most likely using Cloudflare's technology, everyone should consider changing their passwords immediately.

Cloudflare is one of the largest internet security companies which, according to their website, "... speeds up and protects millions of websites, APIs, SaaS services, and other properties connected to the Internet." Ironically, Cloudflare provides services to protect company's from DDOS attacks and many large corporations pay the company to ensure that their private data is secure.

Advertisements

For those who can recall Heartbleed, the bug of 2015, Cloudbleed is considered more severe because of the fact that search engines were caching the leaked data. Another big concern is with Cloudflare's hosting of multiple websites on one server which could mean that a vulnerable website could reveal data from other sites.

Andrew Tierney, Pen Test Partners white hat hacker explained to Forbes how the bug works stating, "For example, you could have visited a page on uber.com, and a chunk of memory from a previous request/response to okcupid.com would be returned. This sensitive data could have been returned to anyone.

There was no need to carry out an active attack to obtain the data - my mum may have someone else's passwords stored in her browser cache just by visiting another CloudFlare fronted site."