Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and security services. Uber, Fitbit, OkCupid and 1Password are among Cloudflare’s millions of clients, and it’s possible that personal data such as passwords and cookies leaked from many client websites during the five months before the bug was discovered and reported by Tavis Ormandy, a Google researcher.
Unfortunately, it’s still not entirely clear how many Cloudflare customers were affected by the bug. The leaked data was cached by search engines in some cases, making the clean-up of the leak a difficult process. Although Google, Yahoo, Bing and other search engines worked to scrub the data before Cloudflare publicly disclosed the bug, researchers reported today that they were still finding samples of leaked data in search engine caches.
“You can still find random authentication cookies for sites affected by #CloudBleed with a simple Google search… and they work,” Hector Martin, a security researcher, tweeted. (The Cloudflare incident has earned the nickname CloudBleed after being compared to the HeartBleed vulnerability.) Martin discovered an authentication cookie for a financial website, Motherboard reported. The cookie would allow an attacker to log in to the site without a password, posing as a regular user.
Given that sensitive data is still floating around in search engine caches, it’s a good idea to reset your account passwords and enable two-factor authentication. You should also use a password manager to generate unique passwords for the websites you visit.
Cloudflare hasn’t uncovered any evidence that the bug was discovered by anyone other than Ormandy — but it never hurts to refresh your passwords, particularly since they might still exposed in a cache.
Users can’t clean up the mess all by themselves. Because the leak included not just passwords but cookies and authentication tokens, website administrators will need to take action too.
It might be a good idea for sites that use Cloudflare to issue a forced password reset to their users and revoke authentication credentials for mobile apps. (Some Cloudflare customers, like Creative Commons and Bugcrowd, are already doing this.)
Security researcher Ryan Lackey points out that, for some sites, a password reset might not be worth the loss of trust that it can provoke in consumers. “It doesn’t appear large numbers of credentials have been compromised, so for a consumer service with limited risk to compromised accounts, it may not be worth the effort. For administrator credentials, or for any sites processing highly sensitive information through Cloudflare, the lack of a quantifiable maximum exposure probably means it is worth forcing a password update,” Lackey wrote in a Medium post.
You can check out a list of Cloudflare customers to see if websites you use might be affected by the leak — but keep in mind that not all of Cloudflare’s clients were affected. Because of the way Cloudflare’s code was configured, the leak was at its worst for less than a week, when 1 in every 3,300,000 Cloudflare requests might have caused leakage. As Cloudflare notes, that’s just 0.00003% of requests.
Featured Image: BeeBright/Shutterstock