First, change your passwords. Then find out what other private information the CloudBleed data leak has exposed.
Don’t panic yet, but content delivery network, Cloudflare, has sustained a months-long breach of user data.
This data leak means unknown volumes of exposed content, passwords, personal information, cookies, and more information from Uber, Yelp, 1Password, Fitbit, OKCupid, and thousands of websites and iOS apps.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
Google researcher Tavis Ormandy—of Google’s Project Zero—stumbled upon 2017’s first concerning data leak earlier this month. Cloudflare confirmed the breach on February 23. This exposes passwords, private messages, and sensitive information from many websites and major services.
“For example, you could have visited a page on uber.com, and a chunk of memory from a previous request/response to okcupid.com would be returned,” explained Pen Test Partners whitehat hacker Andrew Tierney.
“This sensitive data could have been returned to anyone. There was no need to carry out an active attack to obtain the data—my mum may have someone else’s passwords stored in her browser cache just by visiting another CloudFlare fronted site.”
Project Zero and Cloudflare took quick action, reporting the bug February 17th, putting a mitigation in place within an hour, and notifying the public by the 23rd.
Google and Bing reportedly began clearing cached data before the breach was even permitted to become public information, but ArsTechnica noted that some sensitive data may still be out in the open.
1Password admitted to being affected but insisted that sensitive data was not exposed in its case since it encrypts all data in transit.
The data leak was stopped by temporarily shutting off “email obfuscation, server-side excludes, and automatic HTTPS rewrites” while a fix was put into place.
Behind the Name
The new data leak has been nicknamed “Cloudbleed”—a reference to the Heartbleed vulnerability in some versions of OpenSSL in 2014—and CloudLeak by others, as the problem was caused by CloudFlare’s code vulnerability.
Cloudbleed also shares two startling similarities to Heartbleed: both host and serve content for over two million websites and were returning random chunks of memory from vulnerable servers when requests came in.
The greatest period of impact was during February 13 through February 18, and according to Cloudflare, around 1 in every 3,300,000 HTTP requests through CloudFlare potentially resulted in memory leakage—about 0.00003 percent of requests. The earliest date memory could have leaked was September 22, 2016.
However, this instance poses the threat of a more severe data leak.
tl;dr there’s no guarantee that private message you sent on OkCupid isn’t on the public internet somewhere https://t.co/eZrb85l9ub
— Natalie Silvanovich (@natashenka) February 23, 2017
What’s at Stake
This data could potentially include:
- Confidential information (private messages on dating sites, emails)
- User identity information (Personally Identifying Information (PII)
- In a healthcare context, Protected Health Information (PHI)
- User, application, or device credentials (passwords, API keys, authentication tokens, etc.)
It’s reported that the leak did not include any private SSL keys—Secure Sockets Layer is a standard security technology for establishing an encrypted link between a server and a client, say a web server and a browser, or a mail server and a mail client, like Outlook.
According to Digicert, SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Typically, data sent between browsers and web servers is sent in plain text, which does make eavesdropping a real vulnerability. If an attacker can intercept all information sent between a browser and a web server, they are able to see and make use of that data.
Google’s Ormandy also pointed out, “The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup.”
“I’ve informed cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” he added.
Current Company Updates
- Uber: Impact on its service was very limited. Only a handful of user session tokens were leaked, which could have allowed access to those particular accounts, and they’ve now been changed. Passwords were not exposed.
- OKCupid: “CloudFlare alerted us last night of their bug and we’ve been looking into its impact on OkCupid members. Our initial investigation has revealed minimal, if any, exposure. If we determine that any of our users has been impacted we will promptly notify them and take action to protect them.”
- FitBit: Investigating, adding that concerned users can change their account password whenever they wanted. Users who believe they’ve experienced an issue can send an email to security@fitbit.com.
As Forbes noted, it’s important to remember that companies may not be able to determine how, when, or how many times data was leaked into people’s browser caches, or if any attacks took place. Be sure to stay tuned to CloudFlare for updates and take action to protect yourself and your business.
Immediate Action
It’s recommended that people using affected apps or websites change their passwords, and monitor related activity.
Additionally, a GitHub page has posted a list of potentially affected sites, but it includes all domains using Cloudflare DNS, not just the Cloudflare proxy involved in the leaks.
The potential damage from Cloudbleed depends on whether or not the flaw was maliciously exploited before it was patched. If it wasn’t, there’s a fairly small chance that someone could do anything malicious with your passwords.
But if the flaw was exploited, there’s a significantly higher one. Take your safety seriously.
Popular Mechanics’ Eric Limer suggests, “The best thing you can do—as is often the case—is to change your passwords. Any password used for multiple sites is at the greatest risk of being stolen or exploited, so those are good ones to change, along with the ones you use to protect particularly high-value accounts like bank accounts or password managers. Lastly, take this as an opportunity to turn on two-step verification on any service you use that supports it.”
We’ll have to wait and see the true extent of Cloudbleed, however here’s hoping this scare simply serves as a great time to get prepared.