A memory leak on some of Cloudflare’s code caused sensitive information to be exposed. Worse yet, some of the exposed information was cached by search engines. Despite all the hype, “cloudbleed” affects a fraction of Cloudflare’s sites.
Cloudbleed threat summary
The likelihood of a site being affected by Cloudbleed is Low-Medium. The bug caused data leak in 0.00003% percent of requests. (See Cloudflare link above.) However, the impact is High to Severe: not only could sensitive information be leaked, but a search engine could also cache it..
We see Cloudbleed as a medium cybersecurity risk. However, this risk assessment is very website-dependent: If your website has high traffic, and you use the featured identified by Cloudflare, the risk can quickly move over to High or Severe territory.
Cloudbleed affects some (not all) CloudFlare websites
(Updated 3/2/2017. This section erroneously stated that sites that don’t use these features were not affected. This update also added a section to quantify the bug.)
Unfortunately, there is no definitive list of affected websites. There are several lists circulated in the media, but most of these list websites that use Cloudflare and include websites that were not affected by the bug. According to Cloudflare, sites trigger the bug if they use one of three Cloudflare features:
- Email obfuscation.
- Server-side excludes.
- Automatic HTTPS redirects.
Through the Noise clients were affected even though we don’t use these features. We prefer to code things natively on our websites and don’t rely on Cloudflare for these services. We continue to use Cloudflare’s other services, including caching and WAF, and continue to trust and respect Cloudflare’s systems and engineers.
Update and quantifying Cloudbleed impact
Update: It appears that all sites can be affected by Cloudbleed, even if they don’t use the three features above. Only sites that use the feature can trigger the bug, but the bug can cause information of any sites on Cloudflare to be leaked. In other words, even though a small number of sites could trigger the bug, all sites could be affected by it.
Cloudflare published a post quantifying the impact of Cloudbleed since we originally published this post. Because of the random nature of the bug, the amount of sensitive information leaked is less than 1%, and it’s unlikely that any passwords or other highly-sensitive information was leaked.
We’re continue to follow the story, but so far it looks like this bug is remarkable for its potential impact, and luckily there was no real impact.
Website security tasks after Cloudbleed
As a precaution, we recommend the following actions for all sites that use Cloudflare, even if your site does not use the three features above. If you’re an Through the Noise client, we have already taken these precautions for you.
Reset all login cookies, for example by changing your WordPress secret keys.
Some of the leaked information included login cookies. Hackers can use these to log in to the site without a password, “stealing” your logged-in session. Manually logging out users and changing salts and secret keys will ensure stolen cookies cannot be used.
Change all passwords.
It goes without saying; any compromised passwords must be changed. In general, all users’ website passwords should be changed.
Notify your users.
Let your users know that their passwords have been changed. Ask them to follow the “forgotten password” procedures to generate a new password. In addition:
- Remind your users that they should not use the same password in multiple sites.
- Recommend two-factor authentication.
Enable malware, hack, or intrusion monitoring.
If you don’t already have malware or intrusion monitoring enabled on your website, now is a good time to start.
Standard security tasks
In addition to the above cloudbleed-specific tasks, this is a good time to think about your website security in general:
- Review and test your incident response and communications plan.
- Implement two-factor authentication.
- Use a password manager such as LastPass.
Ask for help.
If you have any additional questions about Cloudbleed, your website, or your oragnizations’ cybersecurity, we are here to help.