SOME of the world’s most popular websites and apps have been affected by a massive data leak after Internet security giants Cloudfare was hit by a tiny bug that exposed sensitive data, including passwords and personal information of millions of users.
The so-called Cloudbleed vulnerability has affected up to 3,400 websites, including popular services such as Uber, OKCupid and Fitbit, several leading technology sites reported Cloudfare as announcing late Thursday.
While there is no indication that hackers had actually accessed usernames and passwords, as well as a slew of other private information sent by users over the services, the information was exposed both on corrupted versions of the websites and in cached results on search services like Google and Bing, CBS News reported.
In a blog posting detailing the flaw, Cloudflare’s chief technical officer, John Graham-Cumming, said the company has not discovered any evidence of “malicious exploits” of the bug or other reports of its existence.
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” he said.
“Because Cloudflare operates a large, shared infrastructure, an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.”
He said after being made aware of the bug, the company quickly identified the problem and turned off three minor Cloudflare features; email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites, that were all using the same HTML parser chain that was causing the leakage.
Due to the seriousness of the bug, he said a cross-functional team from software engineering, infosec and operations was formed in San Francisco and London to fully understand the underlying cause, and the effect of the memory leakage. The team is also working with Google and other search engines to remove any cached HTTP responses.
“Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with.”
He said one of the advantages of being a security service is that bugs can go from reported to fixed in minutes to hours instead of months.
“The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes,” he said.
According to Wired, Google vulnerability researcher Tavis Ormandy uncovered the flaw on Feb 17, but the bug that inserted random data from any of six million users of major sites like Uber could have been leaked since September last year. This means that information about an Uber ride a user took and even their password could have invariably ended up hidden in the code of another site.
However, the exposed data is not easily available as it was not posted on well-known or high traffic sites. Regardless, the leak includes sensitive cookies, login credentials, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys.
Another popular tech news site said it would take some time before the full extent of the leak could be determined. Users have also been urged to change all their passwords and implement two-factor authentication everywhere they can.
Cloudflare might not be a household name for regular Internet users, but a lot of favourite websites are being run by the company’s technology.
Describing itself as a “web performance and security company”, Cloudfare was originally set up to track sources of spam since 2009, but has grown to offer other performance-based services such as content delivery services; reliability-focused offerings like domain name server (DNS) services; and security services like protection against direct denial of service (DDoS) attacks, according to Gizmodo.
The fact that Cloudflare is a security company makes the dustup around this new vulnerability supremely ironic. After all, countless companies pay Cloudflare to help keep their user data safe. The Cloudbleed blunder did the opposite of that.
“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy wrote in an advisory, as quoted by Gizmodo.
“We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”