CloudbleedThis morning, news broke that Cloudflare, a popular content delivery network (CDN), contains a critical vulnerability that is believed to have leaked all types of user information, from passwords to private messages, on millions of websites. This vulnerability is so serious that the Google researcher who uncovered it, Tavis Ormandy, compared it to the 2014 Heartbleed bug, dubbing this new flaw “Cloudbleed.” Continue reading to learn more about Cloudflare and what you can do to protect yourself from this data leak.

What is Cloudbleed?

Cloudbleed, the unofficial name, refers to a security flaw discovered in a CDN called Cloudflare, which helps web services distribute data to audiences across the world. It’s a very popular platform that is offered by many web hosts and sought out by numerous web services. What Ormandy discovered last week was that some, but not all, traffic coming from sites that used Cloudflare was both unencrypted and viewable to more than the intended recipient — note that traffic can be anything from passwords to security tokens, cookies and even private messages.

This error was the result of a buffer overflow, which is a fancy way of saying that data was placed into the wrong areas of Cloudflare’s servers and some of it ultimately ended up being sent to the wrong web browsers. The worst part is that misallocated data was not encrypted, so even if users were visiting a website using HTTPS – a highly recommended cybersecurity practice – if any of their data was leaked through the overflow, it was likely seen in plaintext rather than as encrypted character strings. In some cases, search engines might have even stored and indexed the contents of this leaked data, because to a search engine this content would be indistinguishable from the other content that is “supposed” to belong to the page.

How bad is this flaw?

It’s not really clear how bad this is — so far there are currently no known victims and not all traffic from Cloudflare was susceptible to the bug. The vulnerability has apparently been around since September, but it’s not clear that anyone other than Ormandy discovered it. While any of this exposed traffic could be seen as plain as day by anyone, they would have to have known about the vulnerability to take advantage of it. Also, while Cloudflare services a lot of websites and web apps – including those of major brands like Uber, OkCupid and Fitbit – unlike with Heartbleed, the flaw only lies with one service. Even then, given how obscure the flaw seems to be (Ormandy discovered it by accident), it doesn’t seem to have been exploited in the same way as Heartbleed might have. Of course, if there truly are any victims of Cloudbleed, we may never know, as it’ll likely be indistinguishable from being the victim of any other data breach. The silver lining is that Cloudflare has stated that at its peak, the largest amount of traffic affected by Cloudbleed was only about 1 in every 3,300,000 HTTP requests or 0.00003% of traffic.

How can I protect myself?

The first concern of cybersecurity is safety. In the eyes of many experts, it’s better to be safe than sorry, and changing your passwords whenever you hear about a breach or widespread vulnerability is the best way to do that. While it’s not exactly known which web services and websites running Cloudflare were affected, Internet users have taken it upon themselves to simply compile lists containing any service that is known to use Cloudflare in any capacity. Keep in mind that these aren’t complete lists – there could be sites and services on the list that weren’t affected and some not on these lists that were affected. Still, having this information allows you to be proactive in protecting your data from potential future threats.

For more information on keeping safe after data breaches and hacks, keep reading our security breach blog.