Ok, so we don’t like to sound alarmist, but this is kind of a big deal. A bug in Cloudflare’s code has led an unknown quantity of data—including passwords, personal information, messages, and more—to leak all over the internet. Is this the first you’re hearing about Cloudbleed vulnerability? Buckle up. This is kind of scary.
First, you should know more about Cloudflare:
Cloudflare isn’t something you might have heard of but their software is used with a lot of big websites. Cloudflare is a “web performance and security company.” Started as an app for tracking down spam sources, the company now offers a bunch of products to websites, including content delivery services; reliability-focused offerings like domain name server (DNS) services; and security services like protection against direct denial of service (DDoS) attacks. What’s ironic is that these services are supposed to make data more secure. It is a huge blunder for the company, and many are wondering if they will be able to bounce back.
What is Cloud Bleed:
In layman’s terms, Cloudflare’s software tried to save user data in a secure place and ran out of space. So Cloudflare’s software ended up storing that data elsewhere. The data included everything from API keys to private messages. AND the data was also cached by Google and other major sites, which means that Cloudflare now has to track down all that “back data” before cyber-criminals do.
To be more specific, or put it in technical terms, Gizmodo explains it well:
“[A] single character in Cloudflare’s code leads to the vulnerability. It appears to be a simple coding error, though we’ve reached out to Cloudflare for information on what exactly happened. (Update: Cloudflare called us back and explained some things.) Based on what’s been reported, it appears that Cloudbleed works a bit like Heartbleed in how it leaks information during certain processes. The scale of Cloudbleed also looks like it could impacts as many users as Heartbleed, as it affects a common security service used by many websites.
According to a Cloudflare blog post, the issue stems from the company’s decision to use a new HTML parser called cf-HTML. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.
Cloudflare ran into trouble when formatting the source code of cf-HTML and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. (The error involved a “==” in the code where there should have been a “>=”.) This means that when the software was writing data to a buffer, a limited amount of space for temporary data, it would fill up the buffer and then keep writing code somewhere else.”
Are you in trouble? What should you do? Security expert Ryan Lackey has some good advice:
“Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites,” Lackey wrote. “Users should also log out and log in to their mobile applications after this update. While you’re at it if it’s possible to use 2FA or 2SV with sites you consider important.”
So yes, this is big. And no, you are not the exception. Github is putting together an unofficial list. As you can see, a lot of well-known sites are on this list. So do yourself a favor and follow Lackey’s advice from above.
And contact Upward Technology today if you want to talk more about how we can help you and your business more secure in this digital age!