New Cloudflare Vulnerability Could Leak Passwords, Logins, and Other Protected Information

Another major security flaw shocked the Internet world last week—Cloudflare, a service that optimizes the security and performance of more than 5 million websites, alerted customers that a recently patched software bug had exposed a wide array of sensitive information. From passwords to website cookies to login tokens, Cloudflare’s vulnerability represents a major hit to online security.

A Google researcher disclosed the issue, but not before it had done nearly five months of damage, with the biggest potential for user impacts occurring in mid-February. The other major issue with Cloudflare stems from the fact that the entire time the service’s security flaws were exposed, much of the disclosed information was being cached.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. “We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

The bad news is that Cloudflare purports to solve the specific kinds of problems caused by this vulnerability. Three of the service’s core processes—converting HTTP links to the more secure HTTPS variety, blocking email addresses on public web pages, and excluding parts of pages from malicious Internet bots—were hacked by the bug.

The good news, however, is that unlike the Heartbleed bug that was described as “bad as a security flaw can be,” Cloudflare’s issues were fixed almost immediately when they came to engineers’ attention. In addition, this bug could only be exploited against certain websites—and it didn’t expose what IT experts call transport layer security keys. Acclaimed cybersecurity blogger Ryan Lackey added, “Essentially, a broad range of data was potentially at risk, but the risk to any individual piece of data was very low.”

Still, the threat from this Cloudflare vulnerability is real. Tavis Ormandy, the Google researcher who first identified it, said affected sites included Uber, 1Password, FitBit, and OKCupid. And although Cloudflare’s CTO downplayed the impact of the bug, he added that end-user passwords, authentication cookies, authorization tokens used to log into multiple website accounts, and encryption keys Cloudflare uses to protect server-to-server traffic were all at risk of being exposed.

So What Can You Do to Protect Your Critical Information?

1) Change your passwords for all online portals—email accounts, online banking, and any other logins. It might sound obvious (or even pointless, depending on your perspective), but it’s nothing to laugh at: create new, strong, and secure passwords for any online portal, as there’s still no indication of the Cloudflare’s vulnerability’s scope. It only takes a minute and it will instantly improve your online security, keeping your information safer in the future. Using two-factor authentication and a password management tool are crucial, too.

2) Log out and then log back in to all mobile applications. This can eliminate the issue caused by authentication tokens being compromised by Cloudflare, in addition to mitigating problems caused by cached personal information. Consider turning off automatic form-fill, as well, since this is a popular way that hackers try to surreptitiously collect sensitive data.

3) Consider a remote monitoring and management service with strong layered security to keep your systems safe, secure, and running.  Keeping up with the avalanche of tech troubles that seem to plague the Internet nonstop is virtually impossible—especially when you’re trying to run a business. Rather than stressing over anti-virus updates, security updates, and malware protection, shouldn’t you concentrate on giving your customers the best service possible while increasing revenue?

CMIT Solutions is here to help. We take online security and the integrity of your data very seriously, and we’re committed to improving productivity and enhancing efficiency so that you can achieve your business goals. If you want to make technology work for your business, not against it, while protecting against countless cybersecurity issues, contact us today.

Back to Blog


Related Posts

15 Quick Keyboard Shortcuts to Supercharge Your Use of Microsoft Office

In late 2013 and early 2014, CMIT Solutions covered 10 tricks, tips,…

Read More

Personal Data at Risk if You Don’t Wipe Your Old Mobile Device

Over the last 12 months, the four largest mobile carriers in the…

Read More

Who Can You Trust with Your Information? Recent Poll Says Not Many Institutions

No technology trend has been more ubiquitous lately than online security (or…

Read More