This morning it was revealed that Cloudflare, a security and web performance company, which is one of the largest and most important on the internet, had identified "a small flaw" in code that would have exposed data from an undetermined number of sites. According to the statement of the company, they have been located vulnerability and have resolved, but now known to the security breach is more serious than we imagined.
To put a little context into context, it should be mentioned that Cloudflare offers, among a wide variety of services, technology that is used in more than 5.5 million Internet sites, among which is Uber, OKCupid, 1Password, Fitbit, among others. Which means that a large, large amount of private data has been exposed, causing a potential security disaster, which due to its magnitude is impossible to determine in damage level so far.
So far it is impossible to determine the level of damage
This vulnerability, which has already been dubbed Cloudbleed, was discovered by Tavis Ormandy, a security researcher on Google's Project Zero, who gave the alarm bell to Cloudflare on February 18, but what is serious is that the vulnerability had Active status since September 22, 2016.
The period of greatest impact was between 13 and 18 February, when one out of every 3,300,000 HTTP requests caused memory leaks in 3,438 unique domains. To further complicate matters, all data exposed were indexed by Google and other search engines, which made everything cached and publicly available.
Filtered data includes passwords, personal information, cookies, complete HTTPS requests, API keys, client IP addresses, and even hash authentication tokens. It is estimated that 4,287,625 sites have been affected, including some applications for iOS like Fitbit. Here are some of the highlights :
In the case of 1Password and FastMail have already confirmed that all the information filtered was under an additional encryption, so that the data of its users are not at risk. While the rest of the companies are already asking all their users to change their passwords as soon as possible , and if possible enable two-step authentication, if possible.
In the explanation of Cloudflare you can read all the technical details . But by way of summary, the error implied a "==" in the code where it should have been a "> =". This means that the software tried to save the user data in the correct place, but when that place was filled, the software ended up storing that data in other places, on completely different websites.
Cloudflare claims that the bug took only a few filtered data, but if we consider that the vulnerability was present for five months, and that much of that data was stored in the cache of various browsers, then it's not just Cloudflare Has solved the ruling, but all that information, which I repeat, is impossible to determine, is very likely to remain available somewhere on the internet.