‘Cloudbleed’ bug leaks info held on thousands of websites

Private messages on dating sites, password management data and hard-core pornography – these are just some of the things that were inadvertently exposed onto the open Internet by a bug discovered in the Cloudflare network.

Usernames and passwords, client IP addresses, data and cookies are among the other information that was leaked.

Cloudflare is a security firm that protects websites by routing traffic through its own network. At least 3,400 websites were affected by this bug, including popular services such as Uber, Fitbit and OkCupid.

The bug has been dubbed ‘Cloudbleed’, given its similarity to the 2014 Heartbleed bug, and was discovered by Tavis Ormandy, a member of Google’s Project Zero team.

Anyone who uses a website that’s run through Cloudflare should change their passwords as soon as possible. A list of potentially affected websites can be found here.

Ancient software

For several months, Cloudflare’s systems slipped random passages of server memory into webpages. In other words, pages powered by Cloudflare would occasionally include sections of someone else’s web traffic at the bottom of the browser.

The bug became apparent in February while Cloudflare was migrating to newer software. In a blog post, Cloudflare’s chief operating officer, John Graham-Cumming, wrote that an “ancient piece of software” revealed the “latent security problem”, one that only showed up when the company was in the process of migrating away from it.

Change passwords

The flaw was fixed on 18 February, and Cloudflare claims that the leaked information has since been purged from the Internet. That’s not wholly possible, of course, so users are being advised to take precautions to protect their information. GitHub advises that users change all passwords, especially those on affected sites. It also advises users to:

  • Ask vendors and sites to reset all their session tokens
  • Log out of all active sessions where possible (and repeat in a week or two)
  • Rotate API keys and secrets
  • Confirm that two-factor authentication is set up for important accounts

Password security and ISO 27001

According to a 2016 survey conducted by LastPass, 59% of people reuse passwords for multiple logins. That means that a single data breach could jeopardise the security of all of a user’s accounts. In an enterprise context, one lazy user could cause a massive corporate data breach.

If you’re a manager, it’s essential to train your staff to be aware of information security risks and to have robust information security policies in place.

The information security standard ISO 27001 sets out the requirements of a best-practice ISMS (information security management system) that addresses people, processes and technology. Organisations of whatever size, sector or location can use ISO 27001 to address the information security threats they face.

ISO 27001 certification

IT Governance has everything an organisation needs to help implement ISO 27001 – from the Standard itself to books, documentation toolkits, training courses, consultancy and software.

These resources are also available in our combined ISO 27001 Packaged Solutions, a series of fixed-price packages to suit all needs.

Click here for more information >>