On February 17, Tavis Ormandy, a Google vulnerability researcher and security analyst, discovered a bug in Cloudflare's code which leaked users' private data such as passwords, messages, cookies, and more from potentially thousands of websites such as Uber, Fitbit, and OKCupid.
What is Cloudbleed?
Dubbed as Cloudbleed, Ormandy flagged the issue in a post on Google's Project Zero's online project board. The issue was so serious, Ormandy stated in the post that he had to cancel his weekend plans so he could go into the office and build a tool to help clean it up.
Ormandy's post states, "I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."
According to Ormandy, Cloudflare quickly resolved the issue but apparently the bug had been undetected for several months.
What is amazing with the #CloudBleed incident: it took 30min for CF to assemble a team in SF just after the first @taviso tweet. Remarkable. pic.twitter.com/KFKfO2mLWP
— x0rz (@x0rz) February 24, 2017
How scary is Cloudbleed?
To the general public, Cloudflare is probably not very known but the fact that many popular websites are most likely using Cloudflare's technology, everyone should consider changing their passwords immediately.
Cloudflare is one of the largest internet security companies which, according to their website, "... speeds up and protects millions of websites, APIs, SaaS services, and other properties connected to the Internet." Ironically, Cloudflare provides services to protect company's from DDOS attacks and many large corporations pay the company to ensure that their private data is secure.
For those who can recall Heartbleed, the bug of 2015, Cloudbleed is considered more severe because of the fact that search engines were caching the leaked data. Another big concern is with Cloudflare's hosting of multiple websites on one server which could mean that a vulnerable website could reveal data from other sites.
Andrew Tierney, Pen Test Partners white hat hacker explained to Forbes how the bug works stating, "For example, you could have visited a page on uber.com, and a chunk of memory from a previous request/response to okcupid.com would be returned.
This sensitive data could have been returned to anyone.
There was no need to carry out an active attack to obtain the data - my mum may have someone else's passwords stored in her browser cache just by visiting another CloudFlare fronted site."
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
Cloudflare #Cloudbleed bug exposes sensitive mobile app data. See list of 200 popular iOS apps potentially affected https://t.co/x455Sr0FTG pic.twitter.com/AKZh09uSeb
— NowSecure (@NowSecureMobile) February 24, 2017
Ok, scrape finished. Here are the 7,385,121 sites using @Cloudflare that may be affected by #CloudBleed #security https://t.co/YIW0lGfSgq
— Nick Sweeting (@thesquashSH) February 24, 2017
#cloudbleed 😍 pic.twitter.com/JuctvaT2S9
— x0rz (@x0rz) February 23, 2017