Clickability tracking pixel

'Cloudbleed' Bug: Coding Vulnerability Turned Data Hemorrhage Nightmare

A recently discovered data leak has a number of large companies on edge as the extent of the compromise is determined.

by / February 24, 2017

Another massive leak has potentially compromised a large amount of online user data, including, but not limited to login credentials and other sensitive information.

This leak — the so-called “Cloudbleed” bug — appears to be the latest in a growing list of Internet nightmare scenarios, and is reportedly based around a coding vulnerability turned data hemorrhage. From what’s been divulged so far, the leak revolves around websites backed by Cloudflare, an international Internet security company.

Cloudflare provides services to millions of websites that primarily focuses on maintaining those sites’ stability and security. It mirrors sites and sets up redundancies if the site suddenly becomes swarmed with traffic, or it handles a site’s implementation of SSL, the system that provides secure Web traffic, New York magazine reported. And while Cloudflare works unseen in the background, it’s still considered an important company for the infrastructure of the Internet.

As for what happened, the gist is that

information that should have remained private in search engine data caches has dripped out into the world.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence,” Cloudflare CTO John Graham-Cumming wrote in a blog post.

It remains unclear just how many websites have been caught up in the leak, which may have started as far back as September, according to Wired. And as of publication time on Feb. 24, it was unknown as to which public-sector entities were affected, but Government Technology is investigating the bug's reach into this sector.

Cloudflare reported the “greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).”

Though many third-party resources have published information around the Cloudbleed leak, the company has not published a definitive list of affected customers as of yet. Companies like Uber, 1Password, Fitbit and OKCupid are said to be among some of the more notable organizations impacted by the exposure.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

Platforms & Programs