Cloudbleed Explained: Protect Yourself From the Internet's New Security Flaw
The internet's latest security hitch may have exposed you in secret.
By Eric Limer
Cloudbleed is the name of the newest wide-reaching security flaw that has recently affected the internet, exposing the private information of millions of users worldwide. A flaw in the popular Cloudflare Content Delivery Network (CDN) which is used by some 5.5 million websites, Cloudbleed leaked information like passwords, message contents, and more for at least a week before the hole was finally fixed. While it is patched now, who knows what private information is still out there. Change your most important passwords.
The vulnerability was first spotted by bug-hunter Tavis Ormandy on Februrary 17th, and according to a post-mortem by Cloudflare, the period of greatest impact was between February 13 and February 18.
WHAT HAPPENED
While services like Cloudflare one person's data separate from another's, a tiny but serious bug poked a hole in this digital wall. One character—an instance of "==" that should have been ">="—made it possible for computers to skip over the dividing wall between two different people's data. This allowed users exploiting a certain technique to obtain a random chunk of a random person's otherwise private information. Imagine if dialing your phone in a certain way gave you a random bit of someone else's call.
That may not seem too bad—most private data is fairly harmless out of context—but Tavis Ormandy listed some of the more terrifying things he found while researching the flaw:
The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
The true impact of the bug depends on whether anyone with nefarious intentions also found this flaw and deliberately exploited it. Someone with the knowledge and the means could have repeatedly pinged various affected websites, capturing as much random data as possible with the intent to go through it later, panning for cybergold. As yet, there's no evidence that this happened.
Still, private data got where it did not belong. As Cloudflare explains in its long, in-depth blog on the flaw, data that was leaked by the vulnerability was slurped up by Google and other search engines that routinely crawl the web, caching the content they find:
An additional problem was that Google (and other search engines) had cached some of the leaked memory through their normal crawling and caching processes. We wanted to ensure that this memory was scrubbed from search engine caches before the public disclosure of the problem so that third-parties would not be able to go hunting for sensitive information.
Due to work done before the disclosure of this bug, this data has been cleaned up. Still, it is entirely possible other private data that was exposed during the leak was collected elsewhere and is still out there. One GitHub user has compiled a list of sites that may have been affected by Cloudbleed, but it's not comprehensive and you could still be affected without having visited one.
WHAT YOU SHOULD DO
The real danger of Cloudbleed depends on whether or not the flaw was maliciously exploited before it was patched. If not, there's a relatively small likelihood that anyone nefarious has your passwords. If so, there's a significantly higher one. Either way it pays to be safe.
The best thing you can do—as is often the case—is to change your passwords. Any password used for multiple sites is at the greatest risk of being stolen or exploited, so those are good ones to change, along with the ones you use to protect particularly high-value accounts like bank accounts or password managers. Lastly, take this as an opportunity to turn on two-step verification on any service you use that supports it.
Only time will tell what the true fallout of Cloudbleed will be, and hopefully it won't be too bad. But it's already too late to stop it, so take what measures you can.
No comments:
Post a Comment