On February 23, 2017, Cloudflare, an internet company providing essential infrastructure and services to thousands of websites, announced it had found and rectified a bug in its software source code. The so-called Cloudbleed bug allowed data to “leak” from sites relying on Cloudflare’s infrastructure services, including things such as user passwords.
The news of this bug took the Internet by storm. Potentially thousands of sites and people had been put at risk. While the bug was likened to the Heartbleed bug that made headlines in 2014, experts were quick to say that while this was a huge security breach, it was not as serious as Heartbleed. However, the name “Cloudbleed” quickly caught on for the data breach. Perhaps the suffix “-bleed” will become for IT data breaches what “-gate” is for political scandals.
For users, Cloudbleed means going through the tedious work of changing your passwords and making sure your online accounts are secure. For businesses relying on Cloudflare’s services, it means investigating how safe their customers’ data really is. And for managed service providers, it’s an opportunity to remember that delegating services to other providers doesn’t let you off the hook when things go wrong—You still need to be there for your clients.
The bug that caused this mess was so small, it’s easy to see how it went unnoticed. In one line of Cloudflare’s source code, there was a “>” where there should have been a “=”. Yet a difference of one character was able to potentially cause a memory overflow.
As a result of this single character, any site using Cloudflare could accidentally serve up someone else’s data to a user—provided that their web page used certain combinations of “unbalanced HTML tags”. Essentially, it was possible for any user on a Cloudbleed-affected webpage to view data from another user. This data included their login credentials and even the contents of private messages. Iain Thompson, tech writer for “The Register”, described Cloudbleed as “sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you’re also handed the contents of the previous diner’s wallet or purse.”
Google security researcher Tavis Ormandy reported the bug to Cloudflare on February 19, christening it “Cloudbleed”. Cloudflare rectified the error in its source code as soon as they heard about it. They broke the news on February 23 once they had assessed the extent of the damages. Cloudflare believes the Cloudbleed bug may have been affecting websites since as early as September of last year.
According to Cloudflare, only 0.00003% of the web traffic that Cloudflare handles was affected by the bug. This works out to about 3,400 websites—including some pretty popular websites, such as Uber, OKCupid, Yelp, and more. Online services such as Fitbit and Discord were also among the affected.
It’s hard to say how much data has fallen into the hands of hackers and other ne’er-do-wells due to Cloudbleed. Perhaps very little data has actually made it to potential bad actors. Even so, affected sites and services have made it clear to their users that changing their passwords right now is a very, very good idea.
It’s not just the passwords for affected sites people have to worry about—after all, a 2015 report revealed that nearly 3 out of 4 people reuse passwords. This means that a data breach on one site can compromise someone’s information on many other websites.
This is how most hacking actually works. Hackers get their hands on a victim’s password for LinkedIn or Dropbox or Google by phishing for them and, through trial and error, see what else they can get into with that password. The victim’s email? Their PayPal account or bank account? Their computer?
Password reuse can have devastating consequences. Here at Gillware, we recently helped a ransomware victim whose workplace computer had become compromised by ransomware after hackers got their login credentials for a file-sharing service. Their work computer used the same password, and wasn’t protected by a strong VPN with two-factor authentication. As a result, the hackers could easily remote into the computer and encrypt its contents.
A user affected by Cloudbleed could also see their accounts on sites like OKCupid or chat services like Discord hijacked and used to spread phishing scams to other people, potentially compromising even more people.
For users, Cloudbleed serves as a reminder to use strong and unique passwords for all of their online accounts. It also serves as a reminder to use two-factor authentication when possible, especially for work-related matters.
Cloudflare has already fixed Cloudbleed, so there is no longer any further threat of data leakage. If you have clients you’ve pointed toward Cloudflare for their website infrastructure needs, advise them on how they should inform their site’s users.
The important thing MSPs can take away from Cloudbleed is that you need to be there for your clients—whatever happens. Just because you delegate a service to another provider, you can’t absolve yourself of your responsibility.
A lot of managed service providing is recommending certain solutions to a client. You can’t do everything, of course. When your client needs a good backup service, or a strong VPN, you’re probably reselling another backup provider’s services, or telling your client, “Here, use this VPN software.”
Just because you’re not directly providing a service doesn’t mean you’re off the hook if something bad happens. When you recommend Cloudflare to a client and Cloudbleed happens, or when you recommend any service to a client and something goes wrong, the client doesn’t care who’s responsible, only that something bad happened. When your client ends up in a sticky situation, they’re going to turn to you. And if you can’t help them… they’re probably going to turn on you.
Let’s use another example—like an automated backup service. Let’s say you tell your client Bob to use Alice’s Backup Service. Everything works great for a while. Then Alice’s Backup Service goes bankrupt, or their data center catches on fire, or something. Or Bob’s server crashes, and he finds out—the hard way—that he should’ve been auditing his backups. If you’re not there in time to help your client, a bad situation can turn into a nightmare for you and your client.
Cloudflare has not provided an official list of affected websites. However, multiple resources and tools have popped up to identify websites potentially affected by Cloudbleed over the past week. For example, an extension for the Chrome web browser looks through your Chrome bookmarks and identifies potentially-affected websites. The website “Does It Use Cloudflare?” provides a convenient means to check if a website uses Cloudflare.
Remember, Cloudbleed is not as serious as Heartbleed. Websites using Cloudflare only may have been compromised. Just because the bug existed does not necessarily mean the bug was exploited. There is as yet no proof that massive amounts of user data has fallen into the hands of hackers.
And again, Cloudbleed did not affect every single website using Cloudflare. There is no way to definitively check whether a website was hit by Cloudbleed. You can only check if the site uses Cloudflare. According to Cloudflare, only a tiny fraction of sites actually suffered from the bug.
That said, users of affected sites and services like Uber, Yelp, Fitbit, and Discord should still change their passwords, just to be on the safe side. It’s also as good a reminder as any to avoid using duplicate passwords and set up two-factor authentication, especially for your financial accounts.