We always hear of cyber criminals causing havoc by breaking into web services with attempts to steal personal data. They can use various hacking methods like brute force, social engineering, zero-day exploits and software exploits and hacks.
But what if a simple typo in programming code could inadvertently leak out data without hacker intervention?
A coding error in a popular web optimization and content delivery company's programming was discovered to cause thousands of websites to leak sensitive data including passwords, encryption keys and cookies for months.
Affected sites include services like Yelp, OKCupid, Uber, Fitbit, ZipRecruiter, Patreon, Fiverr, Forbes, and 4Chan.
Cloudflare, whose service is used by more than 5.5 million websites, admitted in an official blog post that there was indeed a serious memory leak that may have contained sensitive information. The company said it has already identified and rectified the issue.
Google's Project Zero researcher and bug hunter Tavis Ormandy spotted the issue (unofficially nicknamed Cloudbleed) on February 18th and promptly informed Cloudflare about it.
The Cloudflare leak was apparently caused by a single typo. By using the character – '
>' rather than '
=' – in Cloudflare's software source code, the vulnerability was created.
The greatest period of impact was from February 13 to 18, but the leakage may have been going on as far back as September 22 of 2016. Leaked sensitive data may have been cached by search engines which made this bug even more serious.
Cloudflare said the bug had been present in its code and unnoticed for years. A recent switch in its HTML parser changed how data is buffered, thus causing the memory leak.
To fix the problem, the company has turned off the three minor features (e-mail obfuscation, server-side excludes, and Automatic HTTPS Rewrites) that are causing the leaks, and claims the bug is no longer in effect.
Here's a list of some of the notable sites affected by "Cloudbleed":
- curse.com (and some other Curse sites like minecraftforum.net)
Cloudflare asserts that there is no evidence of malicious exploits of the bug or signs of malicious use of the leaked information.
What you can do
Still, since the sensitive data has been potentially exposed for months and was cached publicly in search engines, it is wise to change your passwords if you are using any of the affected Cloudflare sites.
Also, it is a good idea to review your other passwords, Cloudflare site or not, since password reuse attacks will inevitably follow. With that said, it's a terrible practice to use the same username, email and password in multiple sites and services.
If the service offers it, it's also prudent to use multi-step verification or two-factor authentication if a service offers it. With this, a secondary code (for example, a code sent via text message to your phone) will be required to verify your identity.
Web services that are affected by this bug may also start sending out password change notices to their users, but please if you receive any, scrutinize them carefully since they might be phishing scams instead. Can you spot the signs of a fake email? Click here to take our quiz.