If you follow InfoSec or tech news, then no doubt you have seen a ton of headlines about Cloudbleed, a major security breach discovered in February. Unless you work in one of these areas, though, you may not be sure what it means for you as a small startup or small business. Let’s break down exactly what it is, and then we will talk about why you care and what you need to do.
What Is Cloudbleed?
Cloudbleed is a major security flaw in one of the services provided by Cloudflare, a company that provides a bunch of behind-the-scenes services for other websites, ironically including security services. To be specific, the flaw is a buffer overflow error in their reverse proxy servers, apparently caused by one line of code having a mis-keyed digit. Take a look here if you want specifics on the erroneous code. Members of Google’s security team, primarily Tavis Ormandy, a well-known bug hunter, discovered the bug and immediately published an advisory regarding it. The name is a reference to the Heartbleed bug from 2014, because the two bugs both leak information in a similar way, and InfoSec people often have a sense of gallows humor about this kind of thing.
The flaw allowed passwords, credit card transaction authentication tokens, chat messages, and other sensitive data to be incorrectly leaked over from one Cloudflare customer’s server to another. About 3,400 websites were affected, so potentially any information transmitted between those sites and any of their users could have been leaked. Worse still, because a large number of those sites had been cached—that is, a temporary copy stored to speed up searches by services like Google—the data propagated to servers outside the 3,400 Cloudflare clients as well, and was readable by anyone who knew where to look.
Apparently, Cloudflare acted quickly to shut down the flawed service and got it fixed the same day, tracing the problem to a change in their parsing software. The good news is this means they know the flaw only existed for a limited time. The bad news is that the time in questions was from September 2016 until February 17, 2017—nearly 6 months.
It is also important to understand that only a very tiny fraction of web traffic on those sites actually resulted in data leaking, approximately 3 in every million. While the potential was there the entire time, a very particular and unlikely set of things had to happen for the flaw to cause leakage.
Why Do I Care?
Among affected Cloudflare clients are some of the largest websites on the internet, including Uber, FitBit and OKCupid. Additionally, the 1Password service, one of the password managers I discussed in a previous article, was also affected, although 1Password has stated their data was not at risk. Regardless, there is a good possibility that you have logged in or done business with one of the affected websites. Further, if you re-use that password or a close variant (i.e Password123 and Password321) on other sites, then you could be significantly vulnerable right now. If you needed proof that you should never use a password on multiple sites, wish granted.
Additionally, some transactional information seems to have been leaked as well, things like travel reservations, possibly some payment info (not credit card numbers but authorization tokens and receipts), and things like message text from some chat apps. This is significant not only because of the invasion of privacy if someone has access, but also because information may be contained in these leaks which makes it easier for someone else to locate you or gain access to your accounts.
What Do I Need to Do?
The safest thing to do is change all your passwords, which even if you have followed some of my previous advice is a pain. In fact, some experts worry that considering the low actual rate of data leakage, and the frequency that we end up recommending a full password change, that you should just wait and see. However, as entrepreneurs and freelancers, your passwords and other info may not just help an attacker target you, but a client or customer as well, and I think that sets the bar higher. If you are not using a password manager yet, this will be a good time to bite the bullet and get it set up and over with, changing to random, complex passwords as you go. Here is a useful list of sites that use 2-factor to get you started.
Also, if you haven’t activated 2-factor authentication on websites that offer it, especially critical ones like financial sites and email, this is a great time to do that. This offers a ton of extra security for only a little extra effort, which becomes a near-painless part of your routine, one that can save you a lot of hassle later. Plus, it identifies you as a knowledgeable professional who takes protecting data seriously—what entrepreneur doesn’t need more of that?
If you are really determined to wait and see, I suggest you take a look at one of the websites that have popped up which allow you to search the full list of affected domains. That will give you an idea of how much exposure you have, but bear in mind that the list of affected websites is long and it would be difficult to remember all your internet traffic since September of last year.
Finally, considering the varied nature of the leaked data (not just passwords), be vigilant for anything unusual. Look again at any travel plans you have made, videos you have uploaded, etc. A good bit of the data leaked was more technical in nature—things like cookies, which do not have password data but may help someone identify you. If something weird happens with an account or a website you use or post to frequently, do not assume that it is a fluke. Investigate further and follow up with them. It could be that getting a new account number or something similar ends up stopping an attack before it ever happens.
Realistically, the chances are small your data is affected by Cloudbleed, but the damage from a cyberattack can be considerable; further, most of this advice here is a good idea anyway. This is not the first significant security flaw to crop up suddenly, and will surely not be the last one. Nevertheless, with some basic precautions you can weather this storm cloud too.