Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Customer Data / Biggest Web Security Breach of 2017
Biggest Web Security Breach of the Year: Change Your Passwords Now
Biggest Web Security Breach of the Year: Change Your Passwords Now
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Time to change your passwords again. A new security bug nicknamed 'Cloudbleed' may have compromised the security of user data at sites using the Cloudflare security service. At risk are logins and passwords for millions of Web sites.

The bug was discovered last Friday by Google security researcher Tavis Ormandy, part of the company’s Project Zero initiative. The vulnerability affected the Web security and services company Cloudflare, which has been leaking customer HTTPS sessions for popular Web sites and services, such as Uber, FitBit, and OkCupid, for the past several months. The data that was leaked also includes sensitive personal data.

Chat Services and Adult Videos

"The examples we're finding are so bad,” Ormandy wrote in a post on the Project Zero site. “I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

According to Cloudflare, Ormandy alerted the company to the problem February 17, at which point Cloudflare said it deactivated three minor service features that were using the HTML parser chain that was the cause of the leaked data. It's now no longer possible for memory to be returned in an HTTP response, the company said.

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests),” the company wrote in a blog post regarding the vulnerability.

But according to Ormandy, Cloudflare’s announcement severely downplays the risk that Cloudbleed presents to its customers. “We keep finding more sensitive data that we need to cleanup,” Ormandy said. “I didn't realize how much of the Internet was sitting behind a Cloudflare CDN [content delivery network] until this incident.”

Problems at the Edge

The problem stems from a security issue with the company’s edge servers that caused corrupted Web pages to be returned by some HTTP requests run through its service, according to Cloudflare.

Cloudflare said that under unusual circumstances, its edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

The company said that it has not yet discovered any evidence of malicious exploits designed to take advantage of the bug. However, that may not matter, as search engines, including Google, have already cached many of the pages affected, even those with sensitive data.

“We've been trying to help clean up cached pages inadvertently crawled at Google,” Ormandy said. “This is just a bandaid, but we're doing what we can. Cloudflare customers are going to need to decide if they need to rotate secrets and notify their users based on the facts we know.”

But other crawlers have likely already collected the data, and may not yet realize the significance of the information they have stored on their servers.

Tell Us What You Think


Posted: 2017-02-26 @ 10:35am PT
When the first two commenters don't understand the article

Posted: 2017-02-24 @ 11:29pm PT
. . . Isn't DuckDuckGo a more-secure search engine?

Posted: 2017-02-24 @ 12:53pm PT
How about going 'incognito' in google search?

Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.