Dubbed ‘Cloudbleed’ in reference to the notorious ‘Heartbleed’ breach in 2014, the leak stems from a bug found in code operated by web infrastructure company Cloudflare, which provides security and hosting services for thousands of major internet sites.
“For example, you could have visited a page on uber.com, and a chunk of memory from a previous request/response to okcupid.com would be returned,” security consultant Andrew Tierney from UK-based Pen Test Partners told Forbes.
“This sensitive data could have been returned to anyone. There was no need to carry out an active attack to obtain the data – my mum may have someone else’s passwords stored in her browser cache just by visiting another Cloudflare-fronted site.”
The leak was discovered on February 17 by security researcher Tavis Ormandy from Google’s Project Zero bug-hunting team, who was sifting through publicly available website data to look for any errors in the code.
“It’s not unusual to find garbage, corrupt data, mislabeled data, or just crazy non-conforming data… but the format of the data this time was confusing,” Ormandy explained in a blog post detailing the issue.
“In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.”
“I didn’t realise how much of the internet was sitting behind a Cloudflare CDN [content delivery network] until this incident,” Ormandy said on February 19.
“The examples we’re finding are so bad… I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.”
Ormandy reached out to Cloudflare, which assembled an international team of engineers to fix the problem, and who were able to stop the bug in less than 7 hours.
It’s great that the parsing error is no more, but that’s not the end of the problem.
The leakage may have actually been active from as far back as 22 September 2016 – almost five months before Ormandy found it – and there’s no way of knowing how many people’s sensitive information was exposed in that time.
In a blog post last week, Cloudflare CTO John Graham-Cumming explained that they hadn’t detected any malicious activity resulting from the bug, but with nearly five months of exposed data in the wild, it’s difficult to say how many user credentials may have been leaked.
Adding to the problem, any exposed data could have been cached by search engine bots that index website code, meaning sensitive information could have been replicated far and wide, opening up even greater access to it.
According to Cloudflare, the peak of the bug occurred between February 13 and February 18, with around one in every 3,300,000 HTTP Cloudflare requests potentially resulting in data leakage.
That might sound like pretty good odds, but given the potential length of the leak – and that private data may have been cached elsewhere on the internet – now might not be a bad time to change some passwords if you think you may have been compromised.
While there isn’t an official list of affected services, a huge number of notable sites were exposed, including Uber, Yelp, Fitbit, OkCupid, the Pirate Bay, Change.org, Feedly, 4chan, and many more.
You can search here to see if sites and services you use are on Cloudflare, and there’s also an unofficial listing of the more than 4 million sites that could be affected here.
While the overall level risk to any particular user is probably very low, a lot of personal data could have been leaked here, so it’s a good idea to change your passwords for any potentially compromised sites.
“Cloudflare has said the actual impact is relatively minor, so I believe only limited amounts of information were actually disseminated,” security researcher and former Cloudflare employee Ryan Lackey wrote in a blog post.
“Regardless, unless it can be shown conclusively that your data was NOT compromised, it would be prudent to consider the possibility it has been compromised.”
Of course, to minimise the potential risk of similar breaches (inevitably) happening in the future, make sure you don’t use the same password across multiple sites.
Since it’s impossible to remember a huge number of passwords – given how many digital services we all uses these days – consider a password manager like LastPass or 1Password.
Another good idea is to make sure you enable two-factor authentication on services that support it, which can protect your accounts even if your passwords do get out.