Popular website caching and security service CloudFlare has put millions of websites at risk. A severe security vulnerability ‘CloudBleed’ has been discovered in Cloudflare that caused several websites to expose private session keys and other sensitive data.
As per reports, over 5.5 million websites use the CloudFlare services. Not just websites, this flaw has also affected mobile apps. It ie because apps use the web services hosted on servers using Cloudflare services.
NowSecure confirmed that over 200 iOS apps from 3,500 of the most popular apps use Cloudflare. So, you can now understand how seriously thing bug has affected websites and apps.
The name Cloudbleed was taken from an old bug ‘Heartbleed’ but this newly discovered flaw in worse.
What is Cloudbleed?
Cloudbleed is a major flaw in Cloudflare’s Internet infrastructure service that causes the leakage of private session keys and other sensitive information from websites using the Cloudflare services.
This vulnerability was discovered by Google Project Zero security researcher Tavis Ormandy over a week ago. He found a buffer overflow issue with Cloudflare’s edge servers that were returning memory containing private data like HTTP cookies, authentication tokens, and other important data.
Ormandy observed that Cloudflare is leaking encryption keys, passwords, cookies, chunks of POST data, and HTTPS requests for Cloudflare hosted websites.
Even if you do not use CloudFlare directly, it does not mean you are safe. You are most likely using a website that is using the Cloudflare affecting you and leaking your data.
The worst thing is that some of the leaked information were publicly cached in search engines such as Google, Bing, Yahoo, and DuckDuckGo.
Cloudflare has been notified about the issues and the company has identified the cause of the issue. Until they fix it, they have disabled 3 minor Cloudflare features — Email obfuscation, Server-side Excludes, as well as Automatic HTTPS Rewrites.
It is worth to note that many popular websites use CloudFlare and the list including DigitalOcean, Medium, Pastebin, Zoho, Feedly, Ashley Madison, Bleeping Computer, The Register, and much more. We at Techlomedia also use the Cloudflare but we never take any sensitive data from users, so readers of Techlomedia are safe.
