CSO Alert: Millions of Sites Exposed with CloudBleed Bug

There is a new Cyber Bug in town! According to CloudFlare a company that provides various security and performance services to millions of websites across the internet spectrum that due to a bug sensitive customer information has been leaked.

It was revealed on Thursday, although according to Travis Ormandy a Google Vulnerability researcher who first uncovered the flaw that the data could had been leaking out since September. Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid. Basically if you took an Uber ride, your ride details and Uber password could be hiding in the code of another website.

Leaked data includes sensitive cookies, login credentials, API keys, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys. All the leaked data spewed is being recorded in caches by Google, Bing etc.

However CloudFlare acted quickly and did the preliminary fix less than an hour after learning about the issue, and permanently patched the flaw across all its systems around the world in under seven hours. The company has also been running around with Google and other search engines to scrub the caches so that people can’t just run searches to find and collect sensitive information from the leak.

The fallout of this bug is large and despite CloudFlare’s attempt to fix the mess it remains a concern. To mitigate whatever risk does remain, security researcher and former Cloudflare employee Ryan Lackey suggests changing every password for every online account, since the “Cloudbleed” leak could have exposed anything. “It’s coming out of a universe of all possible data that went through Cloudflare in the past six months, so there’s a lot of potential data,” says Lackey.

By: Mahnoor Shah