A massive security flaw in the Cloudflare client has led to what may be the biggest data breach of 2017. Cloudflare is a web infrastructure company that provides hosting and security services for hundreds of popular websites. A security flaw in the software known as Cloudbleed was discovered and patched last week, but because of the nature of the security breach, the repercussions could be long lasting.
Cloudfare got its start as an app to track and weed out spam from internet comment systems. In the years since, Cloudfare has grown to include domain and security based services for a wide variety of websites. Cloudbleed is a bug in the main platform that resulted in a buffer overrun vulnerability. In layman’s terms, this means that when data was being written to a website, if the standard storage space was full, it would attempt to save that data to the next available location. For websites that hosted Cloudfare software, the next available space was often on an entirely different website. Misplaced information could and does include everything from usernames and passwords to private messages that originated from popular dating websites.
The Cloudfare software is used by numerous major websites that have now all been encouraged to change their passwords. Compromised websites include Uber, Yelp, Fitbit, Change.org and OKCupid, just to name a few. What makes the issue particularly disturbing is that, unlike a hack attempt, this data leak was caused by the system itself and has been bleeding information for at least six months. Because the information has had the potential to show up on any website that shares the code, it’s difficult to gauge the full amount of damage done.
The worst part of Cloudbleed security flaw is that, due to the nature of the leak, it’s possible that some of this information has become indexed by search engines in the time since the vulnerability began. Cloudflare estimates that at the height of the problem, roughly one in every 3,300,000 HTTP requests resulted in data leakage. That number may seem very small but consider that every website comment, instant message and login triggers one of these requests. Now multiply that by hundreds of websites, each with tens of thousands of users over the course of at least five months. While a long shot, this means that some of your private information could be stored and searchable from Google, right now.
There is not a simple solution to the Cloudbleed problem. Cloudflare has already patched the vulnerability but the damage done could still be rearing its head months from now. The best course of action for users of any of these websites is first; change all of your passwords. If you use the same usernames and passwords on any other websites (which you shouldn’t be), then you should change those as well. The next precaution is to look into which of these services use two-factor authentication. Two-factor authentication makes it incredibly difficult for your personal accounts to be accessed without your authorization, even if your password is compromised. When it comes to any other personal data that may have leaked, you are unfortunately going to have to hope that it doesn’t show up unexpectedly. As an aside, this is a good reminder to never post anything online that you wouldn’t want your worst enemy, or your grandmother to read.