ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
Thursday Jul 19th 2018
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Contact Us

WARNING: Cloudflare Bug Potentially Compromised Your Highly Sensitive Data

By

Jim

Manning

WriterETHNews.com

A software bug was found in Cloudflare, and it may affect millions of websites. Certain passwords may require changing.

Beware: in a recent announcement, a bug has been found in Cloudflare, a web service and security company used by more than 5.5 million websites.

The Bug

Cloudflare, along with the help of some Google employees who discovered the issue, have found and fixed a software bug (informally referred to as the “Cloudbleed” bug) that accidentally leaked sensitive data. The informal name is a reference to the Heartbleed bug from 2014 that affected the security of the OpenSSL cryptography library. The vulnerable data leaked by the Cloudbleed bug includes passwords, cookies, IP addresses, keys, private messages, and HTTPS requests.

This bug was serious because “chunks of uninitialized memory” were found “interspersed with valid data,” according to Tavis Ormandy from Google’s Project Zero. He was the first to notice that he was finding data that he shouldn’t have been able to see. Ormandy quickly notified Cloudflare, and the bug was patched.

The issue didn’t simply end with squashing a bug, though. Many websites, like Google, act as HTTP caches, saving snapshots of the web. If the malformed data were accidentally leaked to a website, and Google cached that page, your once secret data could now be forever saved in that cache. So it’s possible that the private information of anyone using a website that uses Cloudflare has been compromised.

Sites Possibly Affected

Seeing as how millions of websites rely on Cloudflare, this bug was widespread. There are many potentially compromised sites, but most importantly, for the blockchain community, Kraken, Coinbase, and Poloniex are affected. There’s a dynamic list of potentially affected sites available here on GitHub. If you have an account on any of those sites, your data may have been leaked. That list includes a disclaimer, which reads:

“This list contains all domains that use cloudflare DNS, not just the cloudflare proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.”

Since so many websites were possibly affected, the list is unsurprisingly long.

Recommended Action

It’s highly recommended that users change their passwords on any sites that may have been affected (or change all passwords). Users are also advised to disable then reactivate any two-factor authentication (2FA) they may have set up.

In the name of transparency, Cloudflare released a long blog post, detailing everything that happened regarding this bug, down to a technical level. In the blog, Cloudflare said, “We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it.”

It’s important to reiterate that this was not an attack, or even initiated by a bad actor, it was simply a bug in older software. Although a hacker probably didn’t actively steal any data, that doesn’t mean a user is safe. Rather than worry about someone stumbling across your private information, which could be cached online somewhere indefinitely, simply change your passwords, and update any 2FA. By following 2FA best practices, and using strong passwords, you should hopefully be safe.

Jim Manning

Jim Manning lives in Los Angeles and has been writing for websites for over five years, with a particular interest in tech and science. His interest in blockchain technology and cryptocurrency stems from his belief that it is the way of the future. Jim is a guest writer for ETHNews. His views and opinions do not necessarily constitute the views and opinions of ETHNews.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest Cloudflare, Kraken or other Ethereum technology news.