Reading:
The most worrying web leak of 2017: Cloudflare’s #CloudBleed
Share:
cloudflare cloudbleed

The most worrying web leak of 2017: Cloudflare’s #CloudBleed

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Google’s Project Zero team detected a huge data leak on Friday 24 February which may persuade you to change all your passwords.

According to Cloudflare’s incident report, a bug exposed private session keys and other sensitive data of 2 million sites on the Cloudflare network.

Once again – no one is safe!

What is the issue with Cloudflare?

Cloudflare is a company that provides web security to an estimated 5.5 million websites on the internet. Websites that could potentially be affected include well-known sites such as Uber, Transferwise, Weebly and OKCupid. A full list can be seen here (https://github.com/pirate/sites-using-cloudflare).

The problem was first noticed by Tavis Ormandy from Google’s bug team when he saw corrupted web pages being returned by some HTTP requires that run through Cloudflare.

For example, if you visited an affected website, the data could be returned from a previous request from the website. Pen Test Partners whitehat hacker Andrew Tierney explained: “This sensitive data could’ve been returned to anyone”.

Twitter response

Multiple Twitter users have sought to get #CloudBleed trending to notify people to change their passwords after the serious data breach. Other users have seen the silver lining in the situation by making a dark joke of “Happy password reset day”.

Some may joke about the event, but seeing the speed and trend of data breaches, there may well be a dedicated day in the near future. It’s not such a bad idea as this will highlight the importance of data security for companies and businesses alike, as well as highlighting to individuals the proactive approach they must take to prevent being victimised by such cyber-crimes.

Cloudflare’s response

Cloudflare’s response method can be seen on their website. They said that the problem was identified quickly and managed to turn off three minor Cloudflare features that were using the same HTML chain that was the cause of the data leak.

Due to the seriousness of the bug, a cybersecurity team from software engineering infosec and operations were formed in San Francisco and London to diagnose and understand the cause of the leak. Having a global team allowed them to work on the problem for 24 hours a day. The team has highlighted the advantages of this service; a reported bug can be fixed in minutes to hours instead of months. Cloudflare backed this up by saying that the standard time to fix a bug can usually take up to three months, however they stated that the bug was fixed in under 7 hours, with the initial mitigation of the effects done in 47 minutes.

Some may say that the reaction time of Cloudflare was extremely speedy following the ‘Cloudbleed’ scenario as a team was assembled in San Francisco just 30 minutes after Mr Ormandy tweeted:

Though the effects may have been mitigated, and the bug fixed in an extraordinarily swift amount of time, we mustn’t forget that that the bug was serious and the leaked memory could’ve contained private and sensitive information.

It’s a good thing that the Google team contacted Cloudflare and are working closely with them to rectify the problems that may arise following the memory leak.

Lessons learned?

Cloudflare has learned their lesson and has taken extra precautions with the new HTML server; the cybersecurity team spent hours verifying the new server to ensure that it didn’t contain any cybersecurity problems. The team is also continually reviewing the older software in search for potential other cybersecurity issues.

The only helpful advice that can be given at this moment in time is to terminate all related sessions and change all passwords for affected accounts.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

SRA
Contact
www.dataleaklawyers.co.uk is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon