Uber, OKCupid users among millions urged to change passwords after Cloudfare bug causes massive leak

Image via Shutterstock

25th February 2017

SOME of the world’s most popular websites and apps have been affected by a massive data leak after internet security giants Cloudfare was hit by a tiny bug that exposed sensitive data, including passwords and personal information of millions of users.

According to several reports from leading technology news sites, the so-called Cloudbleed vulnerability, had affected up to 3,400 websites, including popular services such as Uber, OKCupid and Fitbit, Cloudfare announced late Thursday.

While there’s no indication hackers actually accessed usernames and passwords, as well as a slew of other private information sent by users over the services, the information was exposed both on corrupted versions of the websites and in cached results on search services like Google and Bing.

Although there had yet to be any sign that hackers have accessed the sensitive information, including usernames and passwords, the information can now be accessed on corrupted versions of the websites and in cached results on search engines such as Google and Bing, CBS News reported.

Image via cloudfare

In a blog posting detailing the flaw, Cloudflare’s chief technical officer, John Graham-Cumming, said the company has not discovered any evidence of “malicious exploits” of the bug or other reports of its existence.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” he said.

“Because Cloudflare operates a large, shared infrastructure, an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.”

SEE ALSO: ASEAN countries should learn from the Philippines’ massive election data leak

He said after being made aware of the bug, the company quickly identified the problem and turned off three minor Cloudflare features; email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites, that were all using the same HTML parser chain that was causing the leakage.

Because of the seriousness of such a bug, he said a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause, and the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses.

“Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with.”

He said one of the advantages of being a security service is that bugs can go from reported to fixed in minutes to hours instead of months.

“The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes,” he said.

According to Wired, Google vulnerability researcher Tavis Ormandy had uncovered the flaw on Feb 17, but bug that inserted random data from any of six million users of major sites like Uber could have been leaked since Sept last year. This means that information about an Uber ride a user took and even their password could have invariably ended up hidden in the code of another site.

This Friday, Nov. 21, 2014, photo taken in Newark, N.J., shows smartphones displaying Uber car availability in New York. Uber is offering car service in 250 cities in 50 countries. Pic AP

However, the exposed data was not easily available as it was not posted on well-known or high traffic sites. Regardless, the leak included sensitive cookies, login credentials, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys.

Another popular tech news site said it will take some time before the full extent of the leak could be determined. Users were also urged change all their passwords and implement two-factor authentication everywhere they could.

SEE ALSO: Thailand: Sensitive info about tourists revealed in 2nd online data leak

Cloudflare might not be a household name for regular internet users, but a lot of favourite websites are being run by the company’s technology.

Describing itself as a “web performance and security company”, Cloudfare was originally set up to track sources of spam since 2009, but have grown to offer other performance-based services such content delivery services; reliability-focused offerings like domain name server (DNS) services; and security services like protection against direct denial of service (DDoS) attacks, according to Gizmodo.

The fact that Cloudflare is a security company makes the dustup around this new vulnerability supremely ironic. After all, countless companies pay Cloudflare to help keep their user data safe. The Cloudbleed blunder did the opposite of that.

“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy wrote in an advisory, as quoted by Gizmodo.

“We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”