Yesterday, Cloudflare, the security services and performance enhancement service provider, reported that a bug in its code led to the leakage of sensitive data from its client websites. On the list of the Cloudflare’s clients are sites such as 1Password, Uber, OkCupid, Fitbit and millions of other clients.
Experts point to the likely loss of cookies and passwords from the sites that use Cloudflare’s services. It was a whole five months before the bug could be discovered by a Google researcher named Tavis Ormandy.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
So far, Cloudflare has not given details on how its customers were affected either directly or indirectly. Owing to the leaked data being cached by the major search engines, it has become a daunting task cleaning up the data online. It also seems that the major search engines (Bing, Google, Yahoo and others) had known about the bug before Cloudlfare went public. This stems from the fact that clean-up efforts were underway before the company publicly said the bug was there.
The sad news is that some of the cached data can still be found on search engines by experts. Hector Martin, a renowned security researcher, reported through his Twitter account that the data can be found on Google using a simple search. Specifically, his search led him to find authentication cookies for the affected sites. An authentication cookie for Motherboard, a financial website that is a client of Cloudflare, showed up in his search.
You can still find random authentication cookies for sites affected by #CloudBleed with a simple Google search… and they work. Scary.
— Hector Martin (@marcan42) February 24, 2017
All is not lost, however, as you can still take measures that will ensure your site or account are still safe even in the face of #CloudBleed.
- First of all, you need to reset the passwords to your accounts held at Cloudflare. This will throw off any hacker trying to use the leaked logins to access your data.
- Secondly, you need to start using two-step verification for all your accounts. In this way, any unauthorized attempts to log into your account will be stopped in their tracks.
- Still, these steps may not enough to stop bad guys from accessing your sensitive data. You will need to put to use the services of a password generator/manager. This service generates strong and random passwords for each log-in made.
- In this way, you will be sure that even if the login credentials of your account were leaked by the bug, you still have control over your account. The fact that the passwords may be exposed in a cached file means that danger has not gone away just yet unless you take the measures stated here.
The good news is that website administrators have been made aware of the extent of the bug and they need to step in to salvage the situation. The fact that authentication tokens and cookies were leaked besides passwords means that a mandatory reset of passwords will have to be effected by website administrators. Even better news is that there is likelihood that your site was not affected since Cloudflare has stated that only 0.00003% of the requests could have been compromised.