A bug in its software left hundreds of
thousands of webpages hosted by Cloudflare leaking encrypted personal data, but
there was no sign yet the leak had been exploited by hackers, the Internet
security firm said on Friday. Google Project Zero security researcher
Tavis Ormandy, who discovered the bug, wrote on
Twitter that Cloudflare customers like Uber, 1Password, Fitbit, and
OKCupid were likely affected.
Cloudflare, a content delivery network
and Internet security services provider, hosts six million websites, spreading
them across the Internet to put them closer to customers while at the same time
reducing their exposure to the so-called Distributed Denial of
Service (DDoS) attacks that might knock them offline.
The data leak was attributable to a bug
in the firm's software that had been sending chunks of unrelated data to users'
browsers when they visited a webpage hosted by Cloudflare, according to Google
researchers.
Cloudflare Chief Technology Officer John
Graham-Cumming in a blog post said
the problem had been fixed quickly - within six hours - and most of the exposed
data removed from the caches of search engines like Alphabet's Google.
"We've seen absolutely no evidence
that this has been exploited," he told Reuters by phone. "It's very
unlikely that someone has got this information."
The leakage may have been active from
September 22, but the period most affected was from February 13 until it was
discovered on February 18. At its height earlier this month, Graham-Cumming
said, about 120,000 webpages were leaking information every day. Graham-Cumming
in his blog post added, during that time, "end-user passwords,
authentication cookies, OAuth tokens used to log into multiple website
accounts, and encryption keys Cloudflare used to protect server-to-server
traffic were all at risk of being exposed."
Some of this data included "private
messages from major dating sites, full messages from a well-known chat service,
online password manager data, frames from adult video sites, hotel
bookings" as well as cookies, passwords and software keys, Ormandy wrote on February 19.
As mentioned, Ormandy also wrote on
Twitter that data from ridesharing service Uber and cloud password company
1Password had been leaking. Uber declined to comment, while AgileBits, the
maker of 1Password, denied in a blog post on Thursday that any personal data
had been compromised.
Graham-Cumming said it was difficult to
say which of Cloudflare's six million websites had been affected. He said that
Google and Cloudflare had been working together to remove any sensitive data
from the store of webpages that search engines like Google collect when they
index the web.
He said that process was not yet
complete, which is why some researchers were still finding data if they knew
where to look.
Some security researchers have said the
problem is more serious than Cloudflare has described.
Jonathan Sublett of internet security
company Shield Maiden said in a blog post that anyone who accessed sites that
used Cloudflare "should consider their data public and work towards
securing their accounts".
Graham-Cumming said it was difficult to
say which of their customers were affected. "There will be a debate about
how serious this is," he said. "We do not know of anybody who has had
a security problem as a result of this."
As this bug has been around for a long
time posing a serious threat of personal information breach, users are strongly
advised to change their passwords at the least. Cloudflare has fixed the bug,
but if you're extra paranoid about your personal information online, do read
Security researcher Ryan Lackey's additional security measures here.
No comments:
Post a Comment