The good news is that hackers do not appear to have taken advantage of a severe Cloudflare security bug that would have given them access to sensitive customer data including passwords and authentication tokens. The bad news is that the bug was only recently discovered, which means it went undetected for nearly five months.
Cloudflare is a content delivery serviced used by more than 5.5 million sites, including plenty of popular ones that you might use on a regular basis such as Uber, 1Password, Fitbit and OKCupid. In other words, it’s probably a good idea to change your passwords immediately.
The bug was initially discovered by Google’s Project Zero security researcher Tavis Ormandy, Ars Technica explains. He then contacted Cloudflare once he realized what he discovered, comparing it to Heartbleed in scope and severity. The company promptly fixed the issue.
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” Cloudflare CTO John Graham-Cumming wrote in a post on the company blog. “We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”
The security bug could have exposed plenty of user data, including passwords, cookies, tokens used to authenticate users, and even Cloudflare’s encryption keys used to protect server-to-server traffic. And all that data was then cached by search engines including Google, Yahoo, and Bing, which would have given hackers nearly live access to the data.
Even though Cloudflare acknowledged the issue, Ormandy took issue with the company’s disclosure. “It contains an excellent postmortem, but severely downplays the risk to customers,” he wrote in an update. He was also the one to mention the names of the companies that may have been affected by security breaches in a Twitter message.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
1Password said in a blog post that thanks to its triple encryption layer, no sensitive data was ever exposed to hackers.