Cloudflare is a service used by millions of websites which helps them mitigate DDoS attacks so that their websites do not go offline, essentially acting as a reverse proxy. Cloudflare also offers firewall protection and other services that are designed to keep websites protected and functioning. The company has just revealed a bug in their software that has put their users’ customers’ at risk.
The bug essentially displays the sensitive data of users in plaintext on websites that use Cloudflare. The data that was compromised included passwords, cookies, and authentication tokens. All of this data is usually encrypted, and if someone were poking around, they could have gotten a lot of user information. This bug affected websites using Cloudflare back in September 2016 and as recent as February 13th and 18th of 2017.
Cloudflare notes in its announcement of the issue that even at its peak, data only leaked in about 0.00003% of requests. It doesn’t sound like much, but Cloudflare’s massive customer base includes categories like dating websites and password managers, which host particularly sensitive data.
“At the peak, we were doing 120,000 leakages of a piece of information, for one request, per day,” Cloudflare chief technology officer John Graham-Cumming told TechCrunch. He emphasized that not all of those leakages would have contained secret information. “It’s random stuff in there because it’s random memory,” he said.
Ultimately, even Cloudflare itself was affected by the bug. “One obvious piece of information that had leaked was a private key used to secure connections between Cloudflare machines,” Graham-Cumming wrote in Cloudflare’s announcement. The encryption key allowed the company’s own machines to communicate with each other securely, and was implemented in 2013 in response to concerns about government surveillance.
It’s recommended that you change your passwords on any websites you give personal information to, such as logins, credit card numbers, social security numbers, passwords or any other sensitive data.
What do you think of this latest security bug? Let us know in the comments below or on Twitter, Facebook and Google+.Source: Techcrunch