Posted: 2/24/2017

Maybe you missed the news, but a new vulnerability has been discovered and it is a huge deal.  The flaw was first discovered by Google’s Project Zero vulnerability researcher Tavis Ormandy on February 17, but could have been leaking data since as long ago as September 22. The vulnerability has been identified as Cloudbleed.

Basically, a bug in the Internet infrastructure company Cloudflare’s code has led to an unknown amount of data (passwords, personal information, messages, cookies, and more to be exposed.  According to Wired.com , what happened is under certain conditions, Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid—onto the website of a smaller subset of customers. In practice, it meant that a snippet of information about an Uber ride you took, or even your Uber password, could have ended up hidden away in the code of another site.

The good news is that Cloudflare acted quickly to address the bug.  They pushed a preliminary fix less than an hour after discovering the issue, and within seven hours permanently patched the flaw across all of its systems around the world.  While this is good news, the damage has already been done.