Huge security disasters like Cloudbleed are never fun. However, as more information about the newly reported vulnerability becomes available, we can understand how dangerous bugs stand to screw up the internet. Luckily, in the case of Cloudbleed, it’s not as bad as it could have been. But it’s not good, either.
Cloudbleed, if you hadn’t heard, is a major vulnerability that potentially affects millions of websites served by Cloudflare, a security and performance service. One tiny bug in Cloudflare’s code led to an indeterminate amount of data — including encryption keys, chat logs, cookies, and passwords — to be leaked out onto the open web and cached by search engines like Google. Cloudflare’s customers include massive websites like Uber, OKCupid, and Fitbit, which means that a tremendous number of users find themselves in the unfortunate position of not know how much (if any) of their personal data has been compromised.
That sucks. Cloudflare’s co-founder and CEO Matthew Prince said as much in an interview Gizmodo on Friday. “This is a big deal for us,” Prince said. “This is a really bad bug. This is something that our customers should be very cognisant of and should take very seriously.”
However, this is where Prince claims there’s a bit of a bright side for the end user. According to Cloudflare, most of the websites vulnerable to the bug were seldom trafficked, “forgotten WordPress blogs.” Prince claims that only 3,500 domains ended up being compromised at the height of the Heartbleed fuckup, and those that were only leaked information in a very specific circumstance involving broken HTML tags. Prince also says that 90 percent of the traffic to these websites came from sources like Google that were simply indexing the pages.
That Google crawl detail is what makes Cloudbleed especially scary. The data barfed onto pages by Cloudflare’s bug does include snippets from private chats and frames from videos watched by random people. Prince admitted as much. The fact that an untold number of search engines saved the private data does seem unnerving. More unnerving is the fact that we don’t know how much data remains in the wild and how much Cloudflare’s been able to nuke with the cooperation of search engines.
Prince says that the leak was stopped just 44 minutes after Google security researcher Tavis Ormandy notified the company of the vulnerability via Twitter. “Seven hours after that tweet, we’d completely patched our system from leaking data,” Prince told Gizmodo. The company continues to work with search engines to purge the data stored in search engines’ caches.
Still, Cloudflare hasn’t been able to quantify just how much data leaked. Prince did say that 150 Cloudflare customers (read: 150 websites or services) suffered leaks. Prince also claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year, when the leaks started, until today. That means the company is fairly confident hackers didn’t discover the vulnerability before Google’s researchers did.
Ryan Lackey, a security entrepreneur and former Cloudflare employee, has been covering the vulnerability since it became public. In an interview with Gizmodo, Lackey said that Cloudbleed is most frightening for revealing how small bugs can cause big problems. Furthermore, there are bigger threats out there.
“I don’t think this is anyone’s highest risk or highest exposure,” Lackey told Gizmodo, citing more common cyberattacks like phishing as being more dangerous. “The chance of this impacting a single customer is pretty low.”
Which sounds like good news. Anyone who wants to ensure that their data is completely safe should change their passwords and enable two-factor authentication. That’s more of a philosophical response to security risks. But Lackey went on to explain that Cloudflare’s reach combined with this newfound vulnerability shows that a more aggressive exploit could effectively bring the internet to a halt.
“This is the tiniest compromise of Cloudflare,” Lackey said. “A moderate compromise of Cloudflare could be an internet-threatening.”
So on the bright side, according to Cloudflare’s chief and a former Cloudflare employee, most users are probably fine. Anxious users should change their passwords which is honestly a great thing to do from time-to-time regardless of security threats. Then again, Cloudbleed illustrates a larger problem with internet security. If one major player gets pwned, the consequences can be catastrophic.
It seems like Cloudbleed is more of a warning shot that a death blow. That’s the good news. But the bad news is that the incident suggests internet users ought to be more vigilant than ever when it comes to protecting their personal information. Sometimes, big companies like Cloudflare fuck up. The best way to avoid becoming a victim in those instances is to watch your own ass.
Use good, secure passwords. (Here’s a good strategy to generate one.) Use two-factor authentication. And, if all else fails, pray.