App image

Cloudbleed bug found and fixed fast but concerns remain

Published 2/25/2017 by Ugotsta

A simple, one-character bug in the code that CDN service Cloudflare used for modifying HTML content has been caught and patched. Discovered by Google Project Zero team member Tavis Ormandy, the bug entailed some user data was leaked arbitrarily through web requests. Cloudflare has since been working with search engines to remove any of that data that may have been cached.

While it's essentially resolved now, the issue existed back in September of last year. To be safe, users are advised to change passwords for any of the services affected by the bug, though more importantly, it's recommended to use secure passwords throughout the internet.

A list of services using CloudFlare has been posted here: https://github.com/pirate/sites-using-cloudflare

As seen in the list above, AlternativeTo is among the many services utilizing Cloudflare. Fortunately, we've been updated by Cloudflare in an email saying, "Your domain is not one of the domains where we have discovered exposed data in any third party caches." It's always safe to change passwords though.

Apps like Small 1Password icon1Password can help avoid using the same password across multiple services. Like similar apps, it lets you keep login credentials in a safe, central place. And apparently it was unaffected by this incident as reported in this tweet: https://twitter.com/Cloudflare/status/834940080397529088

For anyone interested, here's the bug report by Tavis Ormandy:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

And the official incident report from CloudFlare: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug

Meanwhile, Ryan Lackey (who used to work for Cloudflare) has written up a very thoughtful post on the matter with lots of key insight here: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165

CloudFlare on AlternativeTo