Dubbed "Cloudbleed"¹, the popular DDoS protection software Cloudflare may have leaked millions of users data from websites utilizing the service for protection.
A more appropriate name, Cloudflare, there could not be. This is certainly a Cloudfire.
Digital asset exchanges all over the world have contacted users recommending that they immediately change passwords and two factor authentication (2fa),
Kraken sent this email to users yesterday:
"A bug was recently discovered with Cloudflare, which Kraken and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your Kraken security credentials:
- Change your password
- Change your two-factor authentication (remove and re-enable it)
You should similarly change your security credentials for other websites that use Cloudflare (see link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.
- Clients who use API keys should generate a new set of keys
The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so it’s important that you take appropriate precautions to protect yourself.
The problem is thought to have only started 6 months ago and 2FA or API keys generated before that time are probably not affected, but we recommend changing them anyway because the bug existed for years. "
This bug is big, like a "Windows Vista" sized blunder, potentially affecting millions of websites.
The issue has to due with an HTML data parser that Google Engineer Tavin Ormandy¹ called "Cloudbleeding" in reference to the Heartbeat Vulnerability. Ormandy first notice the bug and Cloudflare's blunder was so big it required Google, Bing, Yahoo, and others to help clean up the mess since the data search engines cache had to be scrubbed manually.
Certainly ironic given the nature of Clouflare's entire business model is all about internet security.
Does this Affect Me?
Why take a chance? If you have bitcoins on any website that uses Cloudflare or if you don't know what they use, change your passwords and reset your 2fa. Kraken, Bitstamp, and others have already alerted customers to take this action.
As for Cloudflare, dinbits.com uses them along side of other software and they have been a vital part of our infrastructure, so whereas this is a pretty big screw up and something Cloudflare is not going to live down anytime soon, we would still recommend the software.