Solution providers said a software bug found at Internet service provider Cloudflare highlights the need for companies to step up their game when it comes to data security.
The bug, discovered by Google security researcher Tavis Ormandy, led to the leakage of encryption keys, PII data, HTTP cookies, passwords, HTTP POST bodies, and HTTPS requests. The leakage was caused by edge servers running past their buffer and returning memory containing the sensitive data, which was then cached by search engine. Cloudflare said customer SSL private keys were not leaked.
Cloudflare is an Internet service provider that hosts more than 5 million websites, including popular sites such as OKCupid, AgileBits, 1Password, and more.
Cloudflare said in a blog post that the greatest period of impact from the bug was between Feb. 13 and Feb. 18, where around 1 in every 3.3 million requests could have been leaked. That amounts to around 120,000 pages a day. Cloudflare said in a blog post there is no evidence that hackers have exploited the data leakage.
Cloudflare said it turned off three Cloudflare features (email obfuscation, server-side excludes and automatic HTTPs rewrites) to halt the leak. It also launched a cross-functional team to better understand the issue and work with Google and other search engines to remove cached HTTP responses.
"We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it," Cloudflare said in a blog post.
The bug is just the latest event to hit an Internet service provider, including a distributed-denial-of-service (DDoS) attack on Dyn last fall, which leveraged distributed IoT devices infected by the Mirai botnet to take down more than 1,200 websites. The events are unrelated and the Cloudflare event is a data leakage bug, not a DDoS attack.
Jack Koons, director for global security solutions at Blue Bell, Pa.-based Unisys, said that, while Cloudflare was quick to resolve the problem at its source, businesses should still be concerned about data that leaked that has now been cached on a server, leaving it out in the wild. He said businesses who are concerned they might be affected should do basic security triage, changing passwords, notifying the IT department and taking inventory of the type of data that may have been compromised and if it has any business or regulatory implications.
Going forward, Koons said businesses should take steps to secure their critical data and assets before they reach the Internet, comparing it to putting on a coat before leaving the house in the winter. He said that includes security steps such as identifying critical data assets, segmentation and encryption.