A researcher from Google has discovered what may be one of the largest web leaks this year so far. It is possible that personal information and passwords were hacked from a number of sites. The leak includes several major companies includingFitbit and Uber.
There are many bloggers and tech industry experts that are referring to this latest web leak as CloudBleed. It was dubbed this nickname because it appears that the problem resulted from an unknown vulnerability in the code of a well-known web company named CloudFare. The leak also has some similarities to the infamous leak of 2015 known as HeartBleed. The only difference is after the damage of this latest leak is accounted for, it will likely be more severe than the HeartBleed bug.
CloudFare serves and hosts content for at least 2 million websites. The hack became noticeable after many of these websites hosted on CloudFare started returning chunks of memory randomly. This memory was coming from servers that were vulnerable during the time the requests were coming in.
This cyber breach was bad enough. However, what added fuel to the fire was the fact that many search engines, including Google, began to cache the information that was leaked.
The other major issue was that the web company actually hosted content from several different websites on one server. This means that if a request came from one of the vulnerable websites, the information from the other websites on the server could have also been easily accessed.
For example, let us say that someone signed on to Uber. While this information request was going to the server, some memory from another company like Fitbit would be returned. This highly sensitive data from Fitbit could have been returned to almost anyone. This did not involve a dangerous attack to gather sensitive data, it just took advantage of users logging onto these websites so the information could be returned. This means that Uber customers may have Fitbit members’ password information cached in their browsers unknowingly.
The leak was discovered by one of the most famous cyber bug hunters at Google, Tavis Ormandy. He tweeted that he was informed of the hack on February 17. To show proof of the hack, the server was able to return to him passwords and encryption keys from users of other sites hosted by CloudFare.
He later posted a tweet showing that the breach was more severe than he first suspected. He could retrieve some private messages from popular dating websites, the frames from an adult themed website and hotel reservations. He could see customers’ addresses, passwords, data and other things.
He said in response that CloudFare sent a letter that really ‘downplays’ the risk potential of this hack to customers.
There were several breaches, but the largest occurred between February 13 and February 18. However, CloudFare did admit that the breaches could have been occurring since September 2016.
Many have noted that the implications from the breach could have been more severe if Google had not discovered it when it did. Hackers could have conducted millions of data requests and obtained a lot of information.