Customer data could be at risk after a bug at content delivery specialist Cloudflare spilled private information from its clients online. The bug, which was caused by a memory link in a broken HTML parser chain, was discovered accidentally by Google security specialist Tavis Ormandy. It was fixed quickly, but there are fears the problem could have led to information leaks.
Any leak presents a significant risk to businesses integrity, but it also provides a useful reminder on the importance of security best practice. Experts suggested IT managers should reflect on the news and respond proactively to keep their organizations safe.
Leak Threatens Customer Data
According to the Cloudflare blog, Ormandy contacted the firm after seeing corrupted webpages returned by HTTP requests run through Cloudflare.
The problem arose because Cloudflare’s edge servers were running past the end of a buffer and returning memory that contained private information, such as HTTP cookies and authentication tokens. The impact of the incident was increased by the fact that some leaked customer data had been cached by search engines.
Cloudfare CTO John Graham-Cumming said the greatest period of impact was between Feb. 13 and 18, when about 1 in every 3,300,000 HTTP Cloudflare requests led to memory leakage. He estimated that the leakage represented roughly 0.00003 percent of all requests.
Cloudfare’s Response
The bug may have been leaking customer data to the web for months. Ormandy reported on Chromium that he discovered a broad range of personal information, including private messages from dating sites, full messages from chat services and online password manager data.
Once alerted, Cloudflare took quick reactive steps to fix the leak. The firm turned off features that used the HTML parser chain that caused the bug. And in more good news, the SSL private keys of customers were not leaked.
Cloudflare has worked with search engines around the world to remove leaked information from cached pages. However, the long-term effects of the leak are difficult to judge. Cloudflare clients, which include e-commerce sites, government organizations and finance firms, could face pressure to talk about the extent of their exposure, noted InfoWorld.
How Should IT Managers React?
Ormandy praised Cloudflare for its rapid response to the issue. However, IT managers and end users should be aware of the potential risk of exposure. They should consider proactive action immediately before the consequences of the leak become apparent.
Infosecurity Magazine quoted SkyHigh Networks CTO Kaushik Narayan, who suggested that the Cloudflare incident is a timely reminder to IT managers about the importance of secure passwords. Narayan’s research estimated 99.7 percent of companies have at least one employee who has used a potentially vulnerable application.
Security specialist Shuman Ghosemajumder suggested to Infosecurity Magazine that almost any password on more than 4 million websites could have been compromised because of the Cloudflare incident. The safest action, as laborious as it might seem, is to act as if a compromise has taken place and to change all account passwords immediately.