Cloudbleed Catches Security World Unaware

First there was Heartbleed. Now there is Cloudbleed, which, as Nathan Wenzler, chief security strategist at AsTech, told me in an email comment, has the potential to be much more devastating, despite being a different sort of problem.

Cloudbleed is a bug discovered in Cloudflare, and it exposed customer data of its many clients. As BBC explained, Cloudflare is designed to improve security by the way it routes data through its own network, but:

The bug came to light while Cloudflare was migrating from older to newer software between 13 – 18 February. . . . Chief operating officer John Graham-Cumming said it was likely that in the last week, around 120,000 web pages per day may have contained some unencrypted private data, along with other junk text, along the bottom.

As eSecurity Planet pointed out, the data leaked covered a wide range of information, from passwords to private messages to even hotel bookings. But unfortunately, most companies have not been upfront about the status of their customer data, nor have they been transparent about the actions they are taking to deal with the problem.

I doubt this is going to be an isolated problem. As Wenzler explained to me:

This is yet another example of what happens when developers are working with very complex systems that have so many moving pieces and parts, that even with due diligence exercised for the code they’re working on currently, it may cause other areas of an application to falter or break. Applications today are developed at incredible speeds, with massive teams scattered across the globe, making it increasingly difficult for any development team to understand every bit of code and how it relates to every other bit of code in their software. While there are tools that can help with this sort of thing, when coupled with strong processes and procedures, the sheer scope of these kinds of applications still makes it very hard for companies to stay on top of the inter-dependencies as closely as they need.

This is clearly a very serious data leak because of the sheer amount of information and people affected, but as Chris Roberts, chief security architect at Acalvio, told me via email, what added to the seriousness is how Cloudbleed caught the security world unaware. Roberts went on to state:

It’s a security company whose code migration introduced a flaw that wasn’t caught and that’s never good, especially when that flaw is introducing the ability for code to store/cache any number of elements, such as credentials, preferences, history, etc.

The one positive so far is that the Dark Web has been quiet, so it may be that the bug’s reach has been limited. But we don’t know. We don’t know how long this has been going on, how companies are reacting, or exactly what may be out there. I expect we’ll be hearing about Cloudbleed a lot as we move through 2017.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba