Last week, Cloudflare made a code change that allowed for access to their customers’ cloud servers, leaking private and sensitive data.
The company is a content network delivery (CDN) service, which delivers web content to users based on their geographic location to ensure optimal performance and availability.
Naturally, a bug in this type of service can affect many. However, according to Cloudflare, this affected just a small subset of their customers, around 150. Cloudflare has over two million websites on its network, and the greatest impact was between Feb. 13-18 of this year. The bug has since been patched.
In order to increase content delivery performance, Cloudflare used existing code in one language to generate code in another.
But this allowed a user’s query to return data that exceeded a buffer - data from Cloudflare’s servers ran past the end of this buffer and extra data was tacked onto the regular response, according to Mark Loveless, Sr. Security Researcher at Duo.
Private data was returned in server requests, and some search engines crawling the Internet cached this data. The data included session keys, passwords, personal information, etc.
For a far more technical and detailed overview of the incident, response, and timeline of events, check out Cloudflare’s blog.
What To Do
While there’s currently no official list of servers that were affected, hopefully server owners and Cloudflare can work together to help identify what should be done for their users. You can find an unofficial list of affected domains here.
As octal suggests in his blog, site operators that use Cloudflare should practice their incident response process and proactively communicate with customers about how they might be affected. He also recommends updating administrator credentials, and requiring site users to log in again with existing passwords by resetting session tokens, in lieu of a mass forced password reset.
Since sensitive data included credentials - make sure you change your account passwords and enable two-factor authentication, which can prevent an attacker from accessing your accounts using only passwords that may be floating around in search engine caches, as TechCrunch reported.
Using a password manager such as LastPass can help you generate unique passwords and maintain your account logins.
Note: Duo Security does not use Cloudflare for any of its production services.