If this is a serious situation when an attack happens, worse is when it results from a failure. Cloudflare, due to a programming flaw, has been releasing this information for several months without anybody giving into what is now known as Cloudbleed. Recently, a severe security flaw, Cloudbleed was discovered by a Google security investigator from Google’s Project Zero. It was through a simple Internet browsing that Tavis Ormandy, one of the members of the Google security team, came across information that he identified as sensitive and belonged to users of various sites. This sensitive data from sites such as Uber, Yelp, OKCupid, FitBit, Medium or Feedly was accessible to anyone and was even stored by search engine caches, which allowed without even having access to these sites.
— Tavis Ormandy (@taviso) February 23, 2017
The origin of Cloudbleed
After discovering the information leakage of Cloudflare, it was investigated and discovered that it originated in a programming failure, or started to allow parts of the memory of the sites to be released, similar to what happened already with the Heartbleed. Cloudflare servers have been exposed to this vulnerability from September 2016 through February 18, 2017, when the vulnerability was fixed. Cloudflare not only solved the problem on its servers but also contacted the search engines so that the data of the caches were eliminated, preventing them from being obtained by the attacker.
How to protect yourself from Cloudbleed?
Although most of the data that was exposed did not reach the hands of malicious attackers, it is recommended that users of affected sites change their access password. It is a precautionary measure that should be taken already. The list of affected sites is still being collected, but there are already sources where it can be accessed, simply you have to click here. It is estimated that more than 3,400 sites have been affected. Cloudflare reinforces that the volume of data that was exposed is very small, only 0.00003% of page requests and that the data that was released was random. In any case, users’ authentication data, cookies, and keywords were circulated.
Δ