It hasn’t been a very good week for Cloudflare’s security team. Late last week, Travis Ormandy from Google’s Project Zero discovered a rather large memory issue that was potentially leaking sensitive information from websites that use Cloudflare. That isn’t the best news to hear when you consider that Cloudflare works with over two million different websites, including some heavy hitters like Fitbit, OkCupid, and Uber.
Cloudflare says that it had the vulnerability fixed within hours after being contacted by Ormandy, but the major issue here is that this memory problem had been leaking information since September 22, 2016. Even worse is the fact that this information, which could include passwords, API keys, private messages, and cookies, could have been cached by search engines, turning the matter into more than your standard security breach.
Cloudflare has a very in-depth description of the bug over on its website, along with the solution and the lessons it’s learned from mishap. The worry now turns to which websites were affected. Though Cloudflare has yet to release a full list (and likely won’t), a Github user has put together an unofficial list of websites that use Cloudflare DNS – not just Cloudflare’s proxy, as he points out, which was at the center of this leak.
As you can see, the list is absolutely massive. Keep in mind that a website appearing on this list doesn’t necessarily mean its security has been compromised, but it’s good to include them out of an abundance of caution. Indeed, some sites on the list have been updated to reflect statements from their owners, which is the case for 1Password, a password manager service that has confirmed it wasn’t affected by this leak. Elsewhere, DoMa has shared a list of Cloudflare websites that have had public data leak out, though it again notes that any Cloudflare site can potentially be affected by this.
Cloudflare reassures that the amount of data that ultimately leaked is small – it says the “greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.” Still, when we consider that Cloudflare works with millions of sites around the world and that this vulnerability lasted for around six months, there’s plenty of reason to be concerned.
What you should do about Cloudbleed
Make no mistake, this vulnerability is big, and many people are justifiably comparing it to the Heartbleed vulnerability from a couple of years ago. It’s hard to tell just how big the vulnerability is at this point in time, and there will probably be many more details surfacing over the next few weeks. In other words, if you’re trying to find which sites were compromised so you know which passwords to change, the smartest move right now is to change all of your passwords without concern for the finer points.
Beyond that, you should activate two-factor authentication if a website you use offers it, and password managers are never a bad idea as they allow you to create and maintain unique passwords for each log in you have. Obviously, Internet users who are concerned about privacy should have been doing this already, but breaches like these always serve as a good reminder that it’s never too late to begin taking your online security more seriously.