CloudBleed, the Cloudflare Vulnerability
In late February, Tavis Ormandy, Google security researcher, contacted Cloudflare, the web performance and security company, about a memory leak happening in their system due to a parser bug. Many companies, such as Salesforce, Uber and OK Cupid, use Cloudflare who touts Performance, Security Reliability and Insight as their key capabilities.
Essentially, certain data sent to the server would fail to properly parse the information, jump over the buffer and cough-up memory. This memory often comprises of sensitive, personal data. Ormandy found the bug by fuzzing the server- or sending it junk data. In the process, he received some responses with memory data.
Fitbit, Uber and OK Cupid have all made statements that they were minimally, if at all, affected, but they encouraged customers to change their passwords and notify them if suspicious they could have been among the victims of such an exploit. It’s truly impossible for these companies to determine when and how much data has been leaked. Users with more traffic are at greater risk.
Additional Resources: https://www.macrumors.com/2017/02/24/cloudflare-bug-sensitive-data-fixed/
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.