The #CloudBleed Data Leak: What’s My Exposure?

The #CloudBleed Data Leak: What’s My Exposure?

On February 17, 2017, Google Project Zero Security Researcher Tavis Ormandy sent out a cryptic tweet towards Cloudflare’s Security Team:

 

 

Google Project Zero is Google’s special team of some of the most advanced security researchers, or white hat hackers, in the world. For anyone not familiar with Tavis Ormandy’s past work in disclosing major security vulnerabilities in Microsoft Windows, this is not the kind of tweet for which you want to be on the receiving end.

 

Dubbed #CloudBleed, the short summary of the bug is that sending a specifically crafted kind of request to a website hosted on Cloudflare would cause random data from that website to be sent back in the result. Thus, there is potential for any login-based application using a Cloudflare reverse proxy to have accidentally exposed sensitive customer information.

22.5 business hours from the time of disclosure, Cloudflare security had mopped things up, releasing internal analysis putting the actual risk to customers somewhere in the ballpark of winning the lottery. Their detailed post-mortem includes probabilistic numbers saying that even though the bug was accidentally triggered over two million times, no instance of intentional exploitation was discovered. This means that the chances of your password on a website being leaked is limited to being very, very unlucky. But because of the fact that any instance of your leaked password may be stored in the aggressive caching functions of modern day search engines we do recommend changing your passwords — just in case.

Elliott Wu
No Comments

Sorry, the comment form is closed at this time.