A CloudFlare leak probably doesn’t mean much to most internet users. It should.
Over 5.5 million websites use CloudFlare, and chances are you’re using one of them daily. Sites like FitBit, Yelp, Medium, CodePen, OKCupid, and Uber are just a small sample of sites that rely on the service. Today’s announcement that it had been leaking sensitive information for several months means it’s possible, probable even, that you’ll have a password or two that made its way into the wild.
It’s outside the grasp of most web users, but for someone used to crafting specific search engine queries to look for leaked data, the information is there. Travis Ormandy, the Google employee who discovered the vulnerability, found it precisely this way. Ormandy said:
[After discovering the data], we figured out how to reproduce the problem. It looked like that if an html page hosted behind CloudFlare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but CloudFlare specific and worse for reasons I’ll explain later).
He went on to explain:
We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major CloudFlare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted CloudFlare security.
The number of leaks was relatively small — about .00003% of HTTP requests (according to CloudFlare). The implications, however, are huge. It’s now patched, but hackers may still be able to target the compromised sites to further extract sensitive data, or as security researcher Ryan Lackey wrote: “presence of data in searchable caches might make small-scale exploitation possible.” Lackey also mentioned its likely not an “end of the world” event, as “vulnerable data is probably fairly randomly distributed across the internet.”
Still, the potential for abuse isn’t nothing. Because of this, it’s never a bad idea to change your passwords, at least at affected sites. Does it use CloudFlare is a good place to start. The web app lets you submit sites you use regularly to determine whether or not they were affected by the CloudFlare vulnerability.
If it’s sound advice you’re looking for, it’s a great time to change any re-used password. The vulnerability is patched, but passwords are now in the wild. Any password you used to access more than one site could open the door for hackers to gain entry using your credentials. Put simply, your leaked OKCupid password could give hackers access to your Google account, or your bank — if they use the same password.
Stay vigilant out there.