Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and security services. Uber, Fitbit, OkCupid and 1Password are among Cloudflare’s millions of clients, and it’s possible that personal data such as authentication tokens and cookies leaked from many client websites during the five months before the bug was discovered and reported by Tavis Ormandy, a Google researcher.
Unfortunately, it’s still not entirely clear how many Cloudflare customers were affected by the bug. The leaked data was cached by search engines in some cases, making the clean-up of the leak a difficult process. Although Google, Yahoo, Bing and other search engines worked to scrub the data before Cloudflare publicly disclosed the bug, researchers reported today that they were still finding samples of leaked data in search engine caches.
“You can still find random authentication cookies for sites affected by #CloudBleed with a simple Google search… and they work,” Hector Martin, a security researcher, tweeted. (The Cloudflare incident has earned the nickname CloudBleed after being compared to the HeartBleed vulnerability.) Martin discovered an authentication cookie for a financial website, Motherboard reported. The cookie would allow an attacker to log in to the site without a password, posing as a regular user.
Given that sensitive data is still floating around in search engine caches, it’s a good idea to reset your account passwords and enable two-factor authentication. You should also use a password manager to generate unique passwords for the websites you visit.
Cloudflare hasn’t found any leaked passwords or uncovered any evidence that the bug was discovered by anyone other than Ormandy — but it never hurts to refresh your passwords, particularly since they may be exposed in a cache.
Ormandy said that it would be wise for consumers to reset their passwords. “We cannot know for sure what has leaked, but we do know there’s a lot out there that we’re still scrambling to clean up,” he told TechCrunch. “Data was leaked accidentally over the last six months by crawlers, and regular users downloading files and visiting websites. That data could contain passwords, cookies, private data, etc. We don’t know what’s out there, private messages, passwords, credit card details.”
Users can’t clean up the mess all by themselves. Because the leak included cookies and authentication tokens, website administrators will need to take action too.
It might be a good idea for sites that use Cloudflare to issue a forced password reset to their users and revoke authentication credentials for mobile apps. (Some Cloudflare customers, like Creative Commons and Bugcrowd, are already doing this.)
Security researcher Ryan Lackey points out that, for some sites, a password reset might not be worth the loss of trust that it can provoke in consumers. “It doesn’t appear large numbers of credentials have been compromised, so for a consumer service with limited risk to compromised accounts, it may not be worth the effort. For administrator credentials, or for any sites processing highly sensitive information through Cloudflare, the lack of a quantifiable maximum exposure probably means it is worth forcing a password update,” Lackey wrote in a Medium post.
You can check out a list of Cloudflare customers to see if websites you use might be affected by the leak — but keep in mind that not all of Cloudflare’s clients were affected. Because of the way Cloudflare’s code was configured, the leak was at its worst for less than a week, when 1 in every 3,300,000 Cloudflare requests might have caused leakage. As Cloudflare notes, that’s just 0.00003% of requests.
This story has been updated to clarify that authentication credentials but not passwords have been found in leaked caches.