Tavis Ormandy from Google’s Project Zero discovered a security problem with Cloudflare’s servers - a leak which has been dubbed Cloudbleed.
Cloudflare provides essential internet infrastructure and security to millions of websites.
This bug puts users information such as private messages, authentication tokens, passwords and other sensitive data at risk.
The greatest concern is that search engines were caching that leaked information and data has been vulnerable since.
As soon as Cloudflare was notified on February 17th, they disabled the features that were causing the problem and started to delete all the caches of data that may have possibly exposed personal information.
The removal has not yet been completed.
While some are comparing this leak to the devastating Heartbleed bug in 2014, the breach is not the same scale. At least not yet.
Heartbleed affected half a million websites, where as this bug has hit approximately 3,400.
It remains to be seen if more websites will be impacted but Cloudflare’s response to the breach was quick.
According to a blog post by the company:
“The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.
The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”
Officials from companies whose websites have been exposed, such as OkCupid and Uber, have reported minimal impact from the bug.
What should you do?
Keep in mind that nothing you do now will change what has already happened, but you can see if your information is at risk - check to see if sites you use are impacted.
Take this internet security scare as a reminder to change all your passwords whether you use impacted websites or not, and do this on a regular basis.
Ensure you use strong passwords and different ones for different sites.
If websites or services offer two-step verification, use it.
Cybersecurity is of vital importance, especially as digital use and mobile commerce continues to grow.
Not only are corporations responsible for taking steps to protect the personal information of their clients, users also have to remain vigilant.
No comments:
Post a Comment