Is the Cloudbleed Bug Putting Vendor-Held Data at Risk?

A security flaw is once again forcing us to change our passwords and contact vendors.

Nearly 3,400 websites, including Uber, Bain Capital, Security Scorecard, Bitsight, and Fitbit,[i] may have been affected by “cloudbleed,” a vulnerability affecting user data at sites using the Cloudflare security service. User data at these sites was published to the public by mistake, possibly including logins and passwords for the affected websites.

The issue was discovered on Friday, February 24, 2017, by Google security researcher Tavis Ormandy. The vulnerability caused a leak in customer HTTPS sessions for the past several months. “The examples we’re finding are so bad,” Ormandy wrote on the Project Zero site. “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Cloudflare has explained that the cloudbleed problem began with a security issue with their edge servers that caused corrupted web pages to be returned by some HTTP requests run through its service.

While Cloudflare has fixed the code causing the problem and reports that it hasn’t yet discovered any evidence of malicious exploits taking advantage of the problem, we’re not out of the woods yet. Search engines have already cached many of the affected pages, including those with sensitive data. These crawlers have likely already collected the data and may not yet realize the significance of the information they have stored on their servers.

What should you do to address the cloudbleed security risk? Poll your vendors to determine if they were affected.

Other helpful tools include:

[i] These websites have been identified based on the free detection tools linked in the above article.