Tech Talk: Cloudbleed is a lesson to us all

Time to read
less than
1 minute
Read so far

Tech Talk: Cloudbleed is a lesson to us all

March 11, 2017 - 13:22

Rocco Maglio, Certified Information Systems Security Professional, CISSP, has over 20 years in the field of software engineering.

Rocco Maglio, CISSP

When you visit a site you are not only trusting the people who work at the business, but all the third parties they depend on. If any of these services have an issue, your security can be compromised.

Cloudbleed was a data leak caused by the code of Cloudflare. Cloudflare potentially leaked data from any of the sites that used their services, some of the larger sites that use their services are Uber, OkCupid and Fitbit. Millions of sites use Cloudflare's services which are ironically enough, security services. Cloudflare provides protection from DDOS attacks, https redirects, and PCI compliance among other services.

Tavis Ormandy a security researcher for Google's Project Zero discovered the issue. Doing Google searches he found data leaking from major web sites. He saw private messages from dating sites, security tokens and other internal site information.

This was a random error. There was no way to target an individual user or site. When the error happened, it exposed data in memory on the server. There was no way to get any particular data, but the data available in search caches and Internet caches has to be cleaned before it is exploited.

The sites we use depend on a number of third party systems. Many large and small sites rely on the same third parties and if any of these fail they can compromise your security. The larger the site, usually the more third parties that it depends on.