WARNING: Cloudflare Bug Potentially Compromised Your Highly Sensitive Data

Beware: in a recent announcement, a bug has been found in Cloudflare, a web service and security company used by more than 5.5 million websites.

The Bug

Cloudflare, along with the help of some Google employees who discovered the issue, have found and fixed a software bug (informally referred to as the “Cloudbleed” bug) that accidentally leaked sensitive data. The informal name is a reference to the Heartbleed bug from 2014 that affected the security of the OpenSSL cryptography library. The vulnerable data leaked by the Cloudbleed bug includes passwords, cookies, IP addresses, keys, private messages, and HTTPS requests.

This bug was serious because “chunks of uninitialized memory” were found “interspersed with valid data,” according to Tavis Ormandy from Google’s Project Zero. He was the first to notice that he was finding data that he shouldn’t have been able to see. Ormandy quickly notified Cloudflare, and the bug was patched.

The issue didn’t simply end with squashing a bug, though. Many websites, like Google, act as HTTP caches, saving snapshots of the web. If the malformed data were accidentally leaked to a website, and Google cached that page, your once secret data could now be forever saved in that cache. So it’s possible that the private information of anyone using a website that uses Cloudflare has been compromised.

Sites Possibly Affected

Seeing as how millions of websites rely on Cloudflare, this bug was widespread. There are many potentially compromised sites, but most importantly, for the blockchain community, Kraken, Coinbase, and Poloniex are affected. There’s a dynamic list of potentially affected sites available here on GitHub. If you have an account on any of those sites, your data may have been leaked. That list includes a disclaimer, which reads:

“This list contains all domains that use cloudflare DNS, not just the cloudflare proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.”

Since so many websites were possibly affected, the list is unsurprisingly long.

Recommended Action

It’s highly recommended that users change their passwords on any sites that may have been affected (or change all passwords). Users are also advised to disable then reactivate any two-factor authentication (2FA) they may have set up.

In the name of transparency, Cloudflare released a long blog post, detailing everything that happened regarding this bug, down to a technical level. In the blog, Cloudflare said, “We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it.”

It’s important to reiterate that this was not an attack, or even initiated by a bad actor, it was simply a bug in older software. Although a hacker probably didn’t actively steal any data, that doesn’t mean a user is safe. Rather than worry about someone stumbling across your private information, which could be cached online somewhere indefinitely, simply change your passwords, and update any 2FA. By following 2FA best practices, and using strong passwords, you should hopefully be safe.