In late February 2017, Cloudflare Inc., one of the world’s largest internet security companies, was busted for leaking personal and sensitive data all over the internet for months without anyone realizing it. This is a rather ironic turn of events, since the company involved is an internet service aimed directly at increasing the security of websites, offering DNS services, preventing the always feared DDoS attacks and even configuring SSL encryptions for other companies, such as Uber, OkCupid, Cisco and FitBit. In short, Cloudflare is one of the world’s main companies contributing to a safer internet. Or at least it was, just until now.
In fact, this vulnerability was so vast and serious that it got its own nickname, Cloudbleed, striking fear in millions of users. Although the company still wasn’t able to specify an accurate number, we know that at least 150 of Cloudflare’s websites or services, and nearly 3,500 domains suffered from the aforementioned data leaks. And all it took to happen was just a simple coding error.
The internet community needed anything but another serious data breach, especially after the infamous Yahoo scandal where something as 1 billion accounts were compromised. More shockingly, the problem could’ve been discovered way earlier: the entire Cloudbleed event dates back to September 2016, which means that data was leaking for about 6 months without anyone having a clue about it. And if it wasn’t for a Google security researcher in February 2017, the data breach could still be happening for God knows how much time. The compromised data included encryption keys, chat logs, cookies, IP addresses, member IDs, passwords and a whole lot more.
However, what makes Cloudbleed more impressive is that it was caused by the simplest of errors: a coding bug in one of the many HTML tags composing any internet page. To tell a long story short, the “>=” tag was accidentally replaced by a “==”, and the Cloudflare apocalypse began. Pages having these wrong tags caused Cloudflare’s proxy servers to reveal data belonging to previous users in the webpage source or at the bottom of a page on the next user’s browser.
Thankfully, once the issue was found and communicated to the company by Google Project Zero’s researcher, Cloudflare took immediate action and not just stopped the leak, but it also released a security patch to the entire system within only 7 hours. However, despite Cloudbleed’s apparent severity, a former Cloudflare employee stated that chances of having major impact on regular users is pretty low. Furthermore, the company is confident that no hackers were able to find the leak before Google did, since there was no detectable increase of requests in any of the websites run by Cloudflare during Cloudbleed. In fact, curiously the logs on Cloudflare systems show that the leak’s peak took place between the 13th and 18th of February, during which only one in every 3,300,000 HTTP requests was leaking the data.
Although there was more than enough time for wrongdoers to compromise the leaked information, Cloudflare reacted quickly and successfully averted a massive jump scare – unless some hackers secretly discovered the leak (which is very unlikely). Still, the company strongly suggests users not only to change their passwords, but to opt for two-factor authentication as well to be defended against hackers more effectively.
Share your thoughts, ask questions, and connect with other users. Your feedback helps our community make better decisions.
©2012-2025 Best Reviews, a clovio brand –
All rights
reserved
