A tiny bug in Cloudflare’s code allowed sensitive data to be leaked and cached by search engines. The data included passwords, cookies, API keys, personal messages, IP addresses and more. This Cloudflare leak is being called Cloudbleed and it’s a single character in the code that’s ultimately to blame.
Google’s Tavis Ormandy, working with the Project Zero security team, discovered the vulnerability and notified Cloudflare. Cloudflare was extremely quick to react. A fix for the leak was in place within the hour and completely patched 7 hours later. And Google went to work clearing private information that had been cached. However, the data leaks started in September of last year, so the amount of information leaked and whether the bug was found and exploited at all is unknown.
Which sites were affected by Cloudbleed?A few of the popular sites using Cloudflare that may have been affected by Cloudbleed are Uber, FitBit Medium, Feedly and OKCupid. Click To Tweet
A few of the popular sites using Cloudflare that may have been affected by Cloudbleed are Uber, FitBit Medium, Feedly and OKCupid. Many mobile apps may have been affected, too. Ormandy said some of the information he found was data from an online password manager, hotel reservations, dating site private messages and more.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
Reports are that the bulk of this Cloudflare leak happened February 13 through February 18. Nearly 3,500 domains were affected, including 150 customers of Cloudflare. But still, the leaks only occurred once per 3,300,000 HTTP requests. The public disclosure of Cloudbleed was only done after search engines had a chance to clear caches.
The bulk of Cloudbleed leaks happened Feb. 13 - 18. Nearly 3,500 domains were affected, including 150 customers of Cloudflare. Click To Tweet
Be proactive about your security
This goes to show that even the biggest players and security professionals can mess up. You should do everything possible to secure your data on your end with strong, often-changed passwords. And use two-factor authentication whenever you can. With the number of sites this affected, now is a good time to update both your password and two-factor authentications.
If you use Cloudflare for your site, security professional Ryan Lackey says you might want to force users to change their password.
If you use LastPass, here’s how you can automatically update your passwords.
While not a definitive list, here’s a list of sites that potentially may have been affected.
Concerned about whether specific sites use Cloudflare and may have been affected? You can use this tool to find out.
If you’ve found this helpful, please share!
We’ll add any new tools or lists of sites affected by this Cloudflare leak to this post. In the meantime, if you know of something else that would be helpful, please let us know in the comments below so we can possibly add it, as well.