SOME of the world’s most popular websites and apps have been affected by a massive data leak after internet security giant Cloudfare was hit by a tiny bug that exposed sensitive data, including passwords and personal information of millions of users.
The so-called ‘Cloudbleed’ vulnerability had affected up to 3,400 websites, including popular services such as Uber, OKCupid and Fitbit, Cloudfare announced late last week.
Although there has yet to be any sign that hackers have accessed the sensitive information, including usernames and passwords, the information can now be seen on corrupted versions of the websites and in cached results on search engines such as Google and Bing, CBS News reported.
— Duke Leto (@dukeleto) February 23, 2017
In a blog posting detailing the flaw, Cloudflare’s chief technical officer, John Graham-Cumming, said the company has not discovered any evidence of “malicious exploits” of the bug or other reports of its existence.
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” he said.
“Because Cloudflare operates a large, shared infrastructure, an HTTP request to a Cloudflare website that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.”
He said after being made aware of the bug, the company quickly identified the problem and turned off three minor Cloudflare features; email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites, that were all using the same HTML parser chain that was causing the leakage.
Because of the seriousness of such a bug, he said a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause and the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses.
“Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with.”
He said one of the advantages of being a security service is that bugs can go from reported to fixed in minutes to hours instead of months.
“The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes,” he said.
According to Wired, Google vulnerability researcher Tavis Ormandy uncovered the flaw on Feb 17, but bugs that inserted random data from any of six million users of major sites like Uber could have been leaking since Sept last year. This means that information about an Uber ride a user took and even their password could have invariably ended up hidden in the code of another site.
— Steven Rombauts (@stevenrombauts) February 24, 2017
However, the exposed data was not easily available as it was not posted on well-known or high traffic sites. Regardless, the leak included sensitive cookies, login credentials, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys.
Another popular tech news site said it will take some time before the full extent of the leak could be determined. Users were also urged change all their passwords and implement two-factor authentication everywhere they could.
Cloudflare might not be a household name for regular internet users, but a lot of favorite websites are being run by the company’s technology.
Describing itself as a “web performance and security company”, Cloudfare was originally set up to track sources of spam since 2009, but have grown to offer other performance-based services such content delivery services; reliability-focused offerings like domain name server (DNS) services; and security services like protection against direct denial of service (DDoS) attacks, according to Gizmodo.
The fact that Cloudflare is a security company makes the dust-up around this new vulnerability supremely ironic. After all, countless companies pay Cloudflare to help keep their user data safe. The ‘Cloudbleed’ blunder did the opposite of that.
“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy wrote in an advisory, as quoted by Gizmodo.
“We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
This article originally appeared on the Asian Correspondent