CloudFlare, a content delivery network (CDN) and web security provider that helps optimize safety and performance of over 5.5 Million websites on the Internet, is warning its customers of the critical bug that may have exposed a range of sensitive information, including passwords, and cookies and tokens used to authenticate users.
Dubbed Cloudbleed, the nasty flaw is named after the Heartbleed bug that was discovered in 2014, but believed to be worse than Heartbleed.
The vulnerability is so severe that it not only affects websites on the CloudFlare network but affects mobile apps as well.
What is Cloudbleed?
Discovered by Google Project Zero security researcher Tavis Ormandy over a week ago, Cloudbleed is a major flaw in the Cloudflare Internet infrastructure service that causes the leakage of private session keys and other sensitive information across websites hosted behind Cloudflare.
CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.
Almost a week ago, Ormandy discovered a buffer overflow issue with Cloudflare's edge servers that were running past the end of a buffer and were returning memory containing private data like HTTP cookies, authentication tokens, and HTTP POST bodies, with some of the leaked data already cached by search engines.
Cloudflare's "ScrapeShield" feature parses and obfuscates HTML, but since reverse proxies are shared among customers, it would affect all CloudFlare customers.
Cloudflare has since patched the issue.
How Does Cloudbleed Affect You?
There are a large number of Cloudflare's services and websites that use parsing HTML pages and modify them through the Cloudflare's edge servers.
Even if you do not use CloudFlare directly, that does not mean that you are spared. There is always a chance that websites you visit and web services you use may have been affected, leaking your data as well.
Of course, if you are using Cloudflare services in front of your site, the flaw could impact you, exposing sensitive information that flowed between your servers and end-users through CloudFlare's proxies.
While CloudFlare's service was rapidly patched the bug and has said the actual impact is relatively minor, data was leaking constantly before this — for months.
Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.
Some of the Cloudflare's major customers affected by the vulnerability included Uber, 1Password, FitBit, and OKCupid. However, in a blog post published by 1Password, the company assured its users that no sensitive data was exposed because the service was encrypted in transit.
However, a list of websites that have potentially been impacted by this bug has been published by a user, who go by the name of 'pirate,' on GitHub, which also included CoinBase, 4Chan, BitPay, DigitalOcean, Medium, ProductHunt, Transferwise, The Pirate Bay, Extra Torrent, BitDefender, Pastebin, Zoho, Feedly, Ashley Madison, Bleeping Computer, The Register, and many more.
Since CloudFlare does not yet provide the list of affected services, bear in mind that this is not a comprehensive list.
What should You do about the Cloudbleed bug?
Online users are strongly recommended to reset their passwords for all accounts in case you have reused the same passwords on every site, as well as monitor account activity closely as cleanup is underway.
Moreover, customers who are using Cloudflare for their websites are advised to force a password change for all of their users.