What happened?

Tavis Ormandy, a vulnerability researcher at Google, was the first to discover and report a major internet security bug on February 19th. The problem was so serious that Tavis had to tweet to his 44k+ followers about Cloudflare to get an immediate response from the company on a Friday evening.

This bug in Cloudflare’s software was leaking Personally Identifiable Information (PII) for all requests including HTTPS requests. That is, Cloudflare was leaking user passwords, keys, data and everything even when websites were taking the best security measures. This could potentially affects the 2 million websites that use Cloudflare for their content delivery network (CDN), domain name system (DNS) and other internet security services.

Cloudflare claimed that only 0.00003% of internet requests were affected by this bug and didn’t state which websites were affected. But, contributors on Github put together a list of websites potentially affected by Cloudbleed. Some of the notable websites affected were Medium (you are here right now), OKCupid (private dating messages), Coinbase (Bitcoin exchanges), Uber and Cloudflare.com itself.

As reported by Cloudflare, this security flaw was exposed since as early as September 2016. That means, for the past 6 months, anyone could potentially have logged into your Medium account, sent some OKCupid messages on behalf of you, or traded some bitcoins under your Coinbase account.

Cloudflare stores caches (or copies) of webpages to make it faster for users to load websites. Since the sensitive data were among these caches, it was obvious for Cloudflare to purge and delete them immediately, and they did. But, this situation got trickier when search engines like Google also caches webpages processed by Cloudflare. Caches from Google, Bing and Yahoo Search containing sensitive information should be purged before the public disclosure of this bug. Predictably, it’s not that simple. Bing still has some caches with sensitive data yet to be purged.

Why should a regular user be concerned?

You should be concerned because there’s no way to quantify the risk here. It’s impossible to know whether anyone has kept or used these leaked information during this 6-month period of security exposure. You don’t know if someone already has some of your passwords. The probability is low, but there’s always a possibility. Luckily, many affected companies have already taken steps to mitigate this bug. For example, all Medium users were logged out of its website and mobile apps as a result of mitigation.

So, what should you do? You can change passwords on affected websites. Or, simply, you can change all your passwords, especially if you use the same password everywhere (please don’t do this). You should use a unique password for every account. You should use passwords that you will never remember because passwords like “p@ssw0rd” can be cracked quicker than the blink of your eyes. We wrote a guide to safely manage your passwords in an easy way.

Why are software developers concerned?

Looking at the original thread, Tavis pointed out about Cloudflare’s bug bounty program. A bug bounty program usually provides monetary incentives to encourage external security researchers to hunt down security bugs. Companies like Dropbox, Twitter and Github offer thousands of dollars on any serious security bug. But, let’s look at Cloudflare’s rewards:

Recognition on our Hall of Fame (OK)

A limited edition CloudFlare bug hunter t-shirt (OK…)

12 months of CloudFlare’s Pro (…)

That’s all. No money.

Companies that take security seriously will absolutely offer monetary rewards for external help because they understand that no matter how good they are, their software will always have bugs. And, unfortunately, these bugs are sometimes very serious (ie. 1 billion Yahoo user accounts were hacked).

Software like web apps and mobile apps relies on many paid services on both the application and the infrastructure level. We do this so that we can stand on the shoulders of giants and don’t need to reinvent the wheel.

But, it also means that we are relying on others to do a good job on security. Don’t get me wrong. I think specialization is good for any industry. It’s great that we can rely on companies like Cloudflare for internet security and optimization, so that we can focus on building things. But, as a community, we need a better approach on internet security so we don’t get big surprises like Cloudbleed every now and then.

If you like this article, follow Altcademy on Medium and sign up for our newsletter below!