Over the last few days you may have heard the term #Cloudbleed thrown around the water cooler. Some of the questions our customers are asking us include, “What is Cloudbleed?” and “Am I protected from Cloudbleed?” As your resident Security Professional, I’ll be glad to help you to understand what the Cloudbleed buzz is all about and how it may impact you.
— First, I want to be very clear that the Cloudbleed bug does NOT impact SiteLock TrueShield™ WAF/CDN. More below.
What is #Cloudbleed?
The content delivery network (CDN) provider, Cloudflare, recently announced that there was a bug in the code used by some of their caching services. This bug could allow for what is called a buffer overflow, which may result in memory being publicly leaked under certain circumstances. This leak impacted the visitors of websites using the Cloudflare CDN between September 22nd, 2016 and February 18th, 2017.
The reason why this is concerning is that the data contained within memory is more often than not private information that could tell an adversary a significant amount of information about your browsing activity and login data. This could then be used to gain access to your website accounts. Compounding the issue, some of the data from the memory leaks were inadvertently being cached by web crawlers, like those deployed by Google and other search engines, making some the leaked data more persistently accessible. Features like cookies and authentication tokens could be used to spoof user logins and gain unauthorized access to accounts, and POST body content often contains sensitive transactions data like personal messages on a dating website, travel history with a rideshare service, passwords to a financial services agency, and even credit card information used during checkout. This data could have been collected by adversaries over the months it was accessible.
A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.
Who is Impacted?
I want to reiterate that this bug was limited to Cloudflare’s technology, specifically in how it was using a Ragel-based parser and NGINX in its caching mechanisms — SiteLock TrueShield™ WAF/CDN does not use either of these technologies and is not impacted by this bug. It is important to clarify that the websites using the Cloudflare CDN are not the victims of this issue – the users visiting these sites are.There is a possibility that you have visited a website using the Cloudflare CDN, and your data could have been impacted. It is difficult to determine who has been impacted by this bug. However, A GitHub user by the name of Pirate has compiled a list of websites that use the Cloudflare technology and may have been impacted by the leaks. This is a good resource to reference when cross-checking your browser history. My professional advice is to assume you’ve been impacted and change all of your passwords immediately.
Some of the more notable website potentially impacted include:
What You Need to Do
If you’ve visited a website that used the Cloudflare CDN during the period of impact, this leak has potentially impacted your passwords and credit card information. Your first steps are to:
- Change your passwords.
- Watch your credit card statements for suspicious charges.
If you’re the owner of a website using Cloudflare CDN, you should contact Cloudflare to find out if yours was one of at least 161 websites that were confirmed to have leaked data cached by a search engine. If your website was confirmed, you should consider the best ways to disclose the potential data leak to your visitors. Honesty is the best policy.