The most worrying web leak of 2017: Cloudflare’s #CloudBleed

Google’s Project Zero team detected a huge data leak on Friday 24 February which may persuade you to change all your passwords.

According to Cloudflare’s incident report, a bug exposed private session keys and other sensitive data of 2 million sites on the Cloudflare network.

Once again – no one is safe!

What is the issue with Cloudflare?

Cloudflare is a company that provides web security to an estimated 5.5 million websites on the internet. Websites that could potentially be affected include well-known sites such as Uber, Transferwise, Weebly and OKCupid. A full list can be seen here (https://github.com/pirate/sites-using-cloudflare).

The problem was first noticed by Tavis Ormandy from Google’s bug team when he saw corrupted web pages being returned by some HTTP requires that run through Cloudflare.

For example, if you visited an affected website, the data could be returned from a previous request from the website. Pen Test Partners whitehat hacker Andrew Tierney explained: “This sensitive data could’ve been returned to anyone”.

Twitter response

Multiple Twitter users have sought to get #CloudBleed trending to notify people to change their passwords after the serious data breach. Other users have seen the silver lining in the situation by making a dark joke of “Happy password reset day”.

Some may joke about the event, but seeing the speed and trend of data breaches, there may well be a dedicated day in the near future. It’s not such a bad idea as this will highlight the importance of data security for companies and businesses alike, as well as highlighting to individuals the proactive approach they must take to prevent being victimised by such cyber-crimes.

Cloudflare’s response

Cloudflare’s response method can be seen on their website. They said that the problem was identified quickly and managed to turn off three minor Cloudflare features that were using the same HTML chain that was the cause of the data leak.

Due to the seriousness of the bug, a cybersecurity team from software engineering infosec and operations were formed in San Francisco and London to diagnose and understand the cause of the leak. Having a global team allowed them to work on the problem for 24 hours a day. The team has highlighted the advantages of this service; a reported bug can be fixed in minutes to hours instead of months. Cloudflare backed this up by saying that the standard time to fix a bug can usually take up to three months, however they stated that the bug was fixed in under 7 hours, with the initial mitigation of the effects done in 47 minutes.

Some may say that the reaction time of Cloudflare was extremely speedy following the ‘Cloudbleed’ scenario as a team was assembled in San Francisco just 30 minutes after Mr Ormandy tweeted:

Could someone from cloudflare security urgently contact me.

— Tavis Ormandy (@taviso) February 18, 2017

Though the effects may have been mitigated, and the bug fixed in an extraordinarily swift amount of time, we mustn’t forget that that the bug was serious and the leaked memory could’ve contained private and sensitive information.

It’s a good thing that the Google team contacted Cloudflare and are working closely with them to rectify the problems that may arise following the memory leak.

Lessons learned?

Cloudflare has learned their lesson and has taken extra precautions with the new HTML server; the cybersecurity team spent hours verifying the new server to ensure that it didn’t contain any cybersecurity problems. The team is also continually reviewing the older software in search for potential other cybersecurity issues.

The only helpful advice that can be given at this moment in time is to terminate all related sessions and change all passwords for affected accounts.

Huge hack affects thousands of NHS staff

Millions of WhatsApp and Telegram users exposed to ransom hacks