Cloudflare is warning customers their data may have been compromised after a bug in its software exposed sensitive information such as passwords.
The bug, which has since been fixed, caused readable versions of passwords, cookies and authentication tokens to be exposed — and some of that data was cached by search engines. Cloudfare includes some major companies among its five-million strong customer base including Uber, FitBit and OKCupid.
The bug, which was discovered last week by Google’s Project Zero security expert Tavis Ormandy, was most active from Feb. 13 to Feb. 18 with roughly one in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage. However, security entrepreneur Ryan Lackey said the bug has potentially been active since September of 2016.
“While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed,” Lackey said in a blog post. “Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations. There is always the potential someone malicious discovered this vulnerability independently and before Tavis, and may have been actively exploiting it, but there is no evidence to support this theory.”
Cloudflare, in a Thursday blog post, said after learning of the problem from Ormandy, it was able to take action quickly shutting off three minor Cloudflare features (e-mail obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were “all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.”
“Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day,” the company said. “The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under seven hours with an initial mitigation in 47 minutes.”
For average Web users, Lackey said the best course of action, rather than trying to figure out if sites and services they used were impacted, would be to change all of their passwords.
“While this might not be necessary (it is unlikely your passwords were exposed in this incident), it will absolutely improve your security from both this potential compromise and many other, far more likely security issues,” he wrote. “…rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites.”
Cloudflare offers a very technical explanation about the bug and how it was fixed. To read more, click here.
Jennifer Cowan is the Managing Editor for SiteProNews.
The post Cloudflare Bug Leaks Passwords, Other Data From Its Customers’ Websites appeared first on SiteProNews.