Weekly podcast: Cloudflare, Cloudbleed, CloudPets and Yahoo

This week, we discuss the Cloudbleed bug, a breach affecting CloudPets, and the latest news from Yahoo.

Hello and welcome to the IT Governance podcast for Friday, 3 March 2017. Here are this week’s stories.

Last month, Cloudflare released details about a bug caused by a vulnerable HTML parser chain that had leaked data – including personal information – to the Internet for several months. Tavis Ormandy from Google’s Project Zero discovered the vulnerability and dubbed it (with somewhat false reluctance, it has to be said) ‘Cloudbleed’ because of its resemblance to the Heartbleed bug. He explained that Cloudbleed was leaking “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” Innumerable websites were possibly affected, including familiar names such as Uber, Fitbit, Transport for London and OkCupid, although there was no indication that the bug was maliciously exploited before it was patched.

This week, Cloudflare’s CEO Matthew Prince blogged about the impact of Cloudbleed. “Given the scale of Cloudflare, the impact was potentially massive,” he said. “We are continuing to work with third party caches to expunge leaked data and will not let up until every bit has been removed. […] This bug exposed just how much of the Internet puts its trust in us. We know we disappointed you and we apologize.”

Cloudflare’s bug bounty programme has a top reward of a t-shirt. I do hope Tavis enjoys it.

From Cloudflare to CloudPets…

Spiral Toys, the parent company of CloudPets, a company that enables parents and children to record and send audio messages through Internet-connected soft toys and an app, has sent California’s Attorney General a rather defensive breach notification contradicting claims that it left its “database exposed publicly to the web without so much as a password to protect it” – to quote security researcher Troy Hunt, who broke the story this week.

According to Mr Hunt, information relating to more than 820,000 accounts – and providing access to almost 2.2 million voice recordings to and from children – was stored on an unsecured Internet-facing MongoDB installation, which was repeatedly accessed by malicious parties on multiple occasions before the database was deleted and a ransom note left, demanding a bitcoin payment.

According to Spiral Toys’ account, however, the 2 million figure misleads “readers into believing that all messages and images on our servers were obtained by hackers. In the leaked data,” it says, “all passwords were encrypted. The messages and images of a customer account could not be accessed unless a hacker ‘guessed’ the password. […] In the CloudPets terms of use we do recommend customers to use complex passwords and do not use a password you use elsewhere.”

Mr Hunt, however, provides evidence that this ‘recommendation’ is wholly inadequate, saying: “CloudPets has absolutely no password strength rules. When I say ‘no rules’, I mean you can literally have a password of ‘a’. That’s right, just a single character.” He even shares a CloudPets demonstration video that uses the password ‘qwe’. So, even if the passwords are encrypted, it doesn’t require much effort to crack “a large number in a very short time” – which Hunt duly did to prove his point. He also comprehensibly refutes the claims Spiral Toys makes in its notification.

Finally, Yahoo again. (It seems we can’t go a week without mentioning Yahoo at the moment.) A couple of weeks ago, Yahoo emailed users, alerting them that “outside forensic experts [had] been investigating the creation of forged cookies that could have enabled an intruder to access [its] users’ accounts without a password”. This week, Yahoo’s SEC filing revealed the number of affected accounts: 32 million. The extent to which this figure overlaps with the 1 billion accounts affected by the 2013 data breach – or the 500 million accounts affected by the late 2014 data breach – isn’t known. Yahoo’s CEO Marissa Meyer announced this week that she has “agreed to forgo [her] annual bonus and [her] annual equity grant this year” in response to the incidents. More than 40 lawsuits have been filed seeking damages for the breaches, according to the Guardian.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s March book of the month is Once more unto the breach – Managing information security in an uncertain world, by Andrea C Simmons. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.