A new bug was found to be leaking information from hundreds of thousands of websites, but it doesn’t appear anyone has exploited it yet.
Google vulnerability researcher Tavis Ormandy discovered major websites were inadvertently exposing data while working on a side project last week.
The so-called “cloudbleed” vulnerability he found took the security community by storm when it was released Thursday night. Its nickname — an homage to the Heartbleed bug — made a lot of people nervous.
But while it’s technically similar to the 2014 bug that compromised the security of large swaths of the internet, the vulnerability that Ormandy discovered has less impact on consumers.
It existed in websites that use Cloudflare, which is a popular content distribution and security company, with over five million customers including Uber, OkCupid and Fitbit.
The Cloudflare flaw leaked information from various client websites, potentially including private messages, authentication tokens, passwords and other sensitive data. So when one person visited an affected website, the page may have contained data from another user in its code.
So let’s say a page on OkCupid had bad code. When you visited that web page, it might contain data from another person who was using a Cloudflare-hosted website like Uber. It would be invisible to most people, hidden in the browser’s code but freely available to anyone who knows how to look for it.
“You can get the random snapshots of data out of memory, and in some cases they’ll contain nothing,” Dan Tentler, founder and CEO of security consulting firm The Phobos Group, told CNNTech. “In some cases, they’ll contain snippets of private conversations happening on a service that is using Cloudflare.”
In a series of posts describing his discovery, Ormandy said he was able to find “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites [and] hotel bookings.” The bug had existed since September.
Ormandy alerted Cloudflare to the issue on February 17. Cloudflare disabled the features that were causing the problem, and began working to delete caches of data that could have potentially exposed personal information. All the caches have not been fully removed yet.
Cloudflare CTO John Graham Cumming told CNNTech the company is not aware of anyone exploiting this vulnerability, and the risk that anyone’s password has been exposed is small. They will continue to investigate whether anyone exploited the issue before Ormandy discovered it.
On Thursday night, Cloudflare published a blog post describing the bug and the actions the company took upon its discovery.
But as Tentler explained, this vulnerability could not have been used to target individual people or companies. Any information an attacker received would be a “grab bag” — a random sample of data that may or may not contain any sensitive information.
“It is potentially scary for a small number of people that may have actually been affected,” Tentler said. But there’s no evidence that anyone discovered it before Ormandy, he said.
Caution is warranted, though. Ryan Lackey, a security entrepreneur who formerly worked at Cloudflare, said since people can’t be certain what information, if any, was affected, they may want to change their passwords. Also, anyone with website admin credentials should change them immediately.
Lackey also said people should use basic security strategies, including strong passwords, two-factor authentication and a password manager.
1Password, a password manager and Cloudflare customer, said its security is not affected by this vulnerability. A spokeswoman for Fitbit said the company is investigating the issue, and concerned users can change their passwords.
OkCupid CEO Elie Seidman said the company’s initial investigation into the bug “revealed minimal, if any, exposure,” and OkCupid will let users know if they find any security issues. An Uber spokeswoman said “only a handful of session tokens were involved and have since been changed. Passwords were not exposed.”
Though some personal information may remain in cached data, Lackey said it’s unlikely this vulnerability will be exploited. Because, he said, there are easier ways of getting personal information, including targeted phishing attacks.
“In reality, it was a great find,” Lackey said. “But the practical consequences are not huge.”