If you don’t follow the tech Twitter-verse as obsessively as we do, you may not be aware that a major data breach at Cloudflare has put user passwords, messages and other information at risk all over the internet.
Cloudflare provides web security and performance services for companies like Uber and OkCupid, among many, many others. A significant chunk of web traffic flows through Cloudflare, and the data breach now known as Cloudbleed dates back to last September, according to New York magazine’s Select All blog—though Cloudflare didn’t disclose it publicly until Thursday.
While all the typical security advice applies in this situation—it’s probably a good idea to update your passwords, and enable two-factor authentication on your accounts when possible—what strikes us about the Cloudbleed debacle is how so much havoc was wreaked based on what Gizmodo describes as a simple, one-character coding error.
Apparently, the company’s switch to a new HTML parser led to what’s known as a buffer overrun vulnerability. Instead of being stored temporarily in a buffer, user data from some sites was leaked into another, insecure location. It could then be returned under certain circumstances in response to an HTTP request, including from search engines.
“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” wrote Tavis Ormandy, the Google security expert who discovered the breach, in a bug report. “We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
Turns out some poor schmoe at Cloudflare made an error when formatting the parser to work with the company’s own software. If “>=” had appeared in a key portion of code rather “==” the buffer overrun would have been caught, according to a company blog post.
Cloudflare said that its customers’ private SSL keys were not leaked, and it acted quickly to contain the breach after it was discovered this month. Nevertheless, there’s a moral to this story: In our business, attention to detail is everything.
In other embarassing glitch news, Google disclosed Thursday that it had accidentally, remotely reset its Wifi and OnHub routers to factory settings, causing customers to have to set them up again. D’oh!