Cloudbleed Bug Impacts Large Swath of the Internet
Cloudbleed is the name of the newest wide-reaching security flaw that has recently affected the internet, exposing the private information of millions of users worldwide. A flaw in the popular Cloudflare Content Delivery Network (CDN) which is used by some 5.5 million websites, Cloudbleed leaked information like passwords, message contents, and more for at least a week before the hole was finally fixed. While it is patched now, who knows what private information is still out there. Change your passwords.
Cloudflare makes a web content delivery product used by millions of customers to enhance website performance and security. The bug was found in a parser used to power security features, executed by saving website content and data to memory for parsing. The bug caused this data to leak – at random – into code of web pages in the Cloudflare network such that when you visited a web page, that page would include leaked data from an entirely different Cloudflare-supported website.
Although Cloudflare initially reported that end-user passwords, authentication cookies, OAuth tokens used to log into multiple website accounts, and encryption keys were at risk of exposure, Cloudflare now reports that it has not yet found any instances of passwords, credit cards or health records among leaked data but that leakage of this and other sensitive data cannot be ruled out.
The good news: Cloudflare acted quickly to remediate the bug and purge known instances of leaked data from search engine caches—all before any reported instances of the bug being discovered or exploited by malicious actors.
The bad news: Some of the leaked data – including passwords, encryption keys, authentication tokens and conversations – is clearly sensitive and potentially exploitable to the extent it is still discoverable in search engine caches or elsewhere.
Read article: http://www.dataprotectionreport.com/2017/03/cloudbleed-bug-impacts-large-swath-of-the-internet/
Read blog from Cloudflare: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/