Cloudflare says a bug in its edge servers exposed the data of its customers, including the websites of some big names. The company says it has found no evidence that anyone used the bug to hack any websites, although hundreds of thousands of websites were open to being hacked for a time.
You may recall that President Donald Trump‘s website was hacked on Sunday. That site does use Cloudflare, but it’s unclear at this point whether that hack is connected to the security bug reported on Thursday.
Cloudflare patches security hole
Cloudflare is used by about 5.5 million websites, and the bug opened many of those customers up to hackers. The hole was open for about five months, although the company said in its blog post on the bug that the greatest exposure was between Feb. 13 and Feb. 18.
Over that time, the company was migrating to newer software from the older software it had been using. However, Cloudflare added that the chances of hackers being able to get in during those days, were small, as only about one in each 3.3 million HTTP requests send through its service could have resulted in a memory leak. That still amounted to a miniscule fraction of a percent of the requests, however.
Project Zero reported the security issue to Cloudflare last week, but the company has since fixed the issue with its servers and closed the hole.
Big-name websites affected by the Cloudflare bug
Cloudfare serves customers by routing their web traffic through its network. Its service is designed to keep hackers out of those websites, and it serves millions of big names, including some e-commerce sites, banks and government agencies. However, users of the websites might not know that their passwords and data were exposed because it’s not always clear that those websites use Cloudflare.
Company executives describe the bug as “series because the leaked memory could contain private information and because it had been cached by search engines.” They are so unconcerned about the security problem, however, that Chief Operating Officer John Graham-Cumming told the BBC that he’s not changing any of his passwords because he believes “the probability that somebody saw something is so low it’s not something I’m concerned about.”
He blamed the bug on an “ancient piece of software that contained a latent security problem.” He added that the issue only appeared as Cloudflare was moving from the old to the new software last week.
Bug compared to Heartbleed
Google engineer Tavis Ormandy, who discovered the security hole, said in his log about his discovery that it was vaguely reminiscent of the Heartbleed bug, which occurred in 2014. Cyber-security expert Prof. Alan Woodward told the BBC that “a few lines of errant code” caused the security hole. He added that because the web contains “millions of lines of code,” there are probably many more problems no one is even aware of.
He believes that it’s just too early to know what damage could have been done, but he believes that Cloudflare and its customers were just lucky that the hole didn’t result in a widespread exposure of passwords and private information. The hack of President Donald Trump’s website demonstrates that nearly any website can be vulnerable to hacking, although some require greater efforts than others.
In the case of Trump’s site, however, there was evidence that it wasn’t fully secured, leaving it highly vulnerable to hacking—with or without the Cloudflare bug.