You may have heard about Cloudbeed, a massive internet security bug uncovered this past winter by a Google security research team. For all intents and purposes, the effect so far has been nothing compared to that of Heartbleed, the infamous security bug that hit half a million websites back in 2014.
Nevertheless, Cloudbleed is scary and disturbing to individuals and businesses alike. If you’re currently responsible for security at any level, you’ll want to know the important facts surrounding internet security firm Cloudflare’s security bug.
Here are six things you need to know about Cloudbleed for your business.
1. Cloudflare Fixed Cloudbleed Within 44 Minutes
It’s certainly disconcerting that an internet security company was actually introducing vulnerabilities to client websites rather than protecting them. However, the vulnerability was patched within an hour of discovery.
Make no mistake, however: Cloudbleed was leaking client data such as passwords, API keys, and cookies for a good five months before after Google’s Tavis Ormandy discovered the bug in Cloudflare’s code.
In case you weren’t aware, Cloudflare offers internet infrastructure services to millions of websites. Their clients include the likes of Uber, Nasdaq, and Cisco, according to their website. Many of their clients’ website were affected by Cloudbleed, including Fitbit, who acknowledged the leak in a blog post in February.
2. Cloudbleed Affected a Very Small Percentage of HTTP Requests
The bug manifested itself in an HTML parser, which means only client websites with certain HTML were affected. That totaled about 3,000 customers.
In an interview with WIRED, the CEO of Cloudflare downplayed the bug’s impact:
“It’s obviously very serious for us, and it’s very serious for our customers, but for the individual WIRED reader the chances of this impacting them is relatively minimal,”
-Matthew Prince, CEO of Cloudflare
3. So Far, the Cloudbleed Vulnerability Hasn’t Resulted in Exploitation
Five months of having your sensitive data leaked around the internet sounds apocalyptic, but businesses will find reassurance in the fact that the leaks were random.
What does that mean?
Well for starters, passwords may have shown up in the code of fellow Cloudflare clients’ websites, but they weren’t connected to the type of data that would allow easy exploitation. In other words: data was randomly displayed.
So any hacker who may have been aware of the bug would have had, say, a password but probably nothing else. What good is a key if you have no idea in the world where the right door might be? You might get lucky but it’s going to take an awful lot of effort to match that key with the right lock. This made Cloudbleed unattractive for exploitation by hackers.
Cloudflare states that, as of yet, there is no evidence that any hackers exploited the vulnerability.
4. The Way to Reduce Risk from Cloudbeed Fallout is to Change Passwords
Hopefully, if you’re in charge of security for any business, whether it’s a mom & pop shop or a global enterprise, you know about standard security measures. These include:
- Changing passwords often
- Never using duplicate passwords (always use unique passwords)
- Implementing multi-factor authentication
- After a security incident like Cloudbleed, changing passwords for every online account
- Logging out and then back into mobile apps after a security incident
5. Cloudflare’s Response is Admirable
One final note: it should be acknowledged that Cloudflare’s response to the security scare posed by the bug has been praised by the internet security blogger community. They immediately published an acknowledgment of the problem on their blog.
Compare that to the response of security company FireEye in 2015. When flaws were discovered in their software, they sued to keep it a secret!
We hope that Cloudflare’s response to Cloudbleed is a sign of what’s to come: greater transparency and acceptance of responsibility from digital providers. Until that notion becomes fact (or law), we’ll have to stay on our toes and keep informed.