Internet users urged to change passwords after Cloudbleed discovery
Image credit: Pexels
Multiple high-profile apps including Uber and FitBit have been leaking customer data for months due to the Cloudbleed vulnerability discovered by Google researchers last week.
The bug in the source code of internet services company Cloudflare caused sensitive data to be cached by search engines, potentially allowing hackers to pose as legitimate customers. The compromised data includes private messages and authentication cookies.
“We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use Cloudflare, and even plaintext API requests from a popular password manager that were sent over http,” said a cyber-security researcher from Google’s Project Zero team. “The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean-up.”
The researchers said the impact of the vulnerability is potentially wide-reaching due to the massive customer base of Cloudflare.
“I didn't realise how much of the internet was sitting behind a Cloudflare CDN until this incident,” the researcher said.
The Google team said that Cloudflare has responded to the issue promptly but advises users to change their passwords and switch to two-factor authentication where possible.
“With the haemorrhaging from Cloudbleed first reported on Friday, new data from Skyhigh Networks indicates the wounds to IT are widespread,” commented Kaushik Narayan, CTO of cloud access security broker Skyhigh Networks.
“After analysing more than 30 million enterprise users across the globe, Skyhigh found 99.7 per cent of companies have at least one employee that used a Cloudbleed vulnerable cloud application.”
Even though few enterprise-ready cloud services were themselves affected – fewer than four per cent – there’s a very long list of potential consumer-focused services that may have been vulnerable to credential loss, Skyhigh Networks said.
Cloudbleed got its name after the Heartbleed vulnerability in the Open SSL cryptographic software library, discovered in 2014. The researchers said Cloudbleed could be potentially as serious as Heartbleed, which affected millions of websites, enabling hackers to gain access to sensitive user data.
According to Gizmodo, Cloudbleed is a result of a coding error affecting a single character in Cloudflare’s code.