What Does Cloudbleed Mean for Small Business?

What is Cloudbleed?

Cloudbleed is the name of a serious bug discovered in Cloudflare by a Google security researcher on February 17. Cloudflare provide services that millions of websites globally use for improved performance and security. It's this scale and some of the big names using the service (including Uber, OKCupid, Fitbit, Yelp and many more) that may be effected that makes this bug such a serious concern for many.

Example of data found leaking from Uber via Cloudbleed including authentication details and driver location details

Example of data found leaking from Uber via Cloudbleed including authentication details and driver location details

In a statement posted to their website, Cloudflare provide a quite detailed technical rundown of what happened. In essence some code in their platform was leaking data shared with their servers, exposing it publicly on other websites. The bug was present in their platform for around 6 months between September 22 2016 and February 18 2017.

For already public data, this wouldn't be too big of a concern, however as Cloudflare handles more than just public data there's a risk that sensitive data including passwords, payment details and personally identifiable information (PII) may also have been exposed. In fact as part of the clean up, data from over 150 sites was found in Google and other search indexes, confirming this was happening.

So what does Cloudbleed mean for my business?

With Cloudflare’s bug, it’s enormously hard to identify exactly who’s been impacted and to quantify the risk.
— Troy Hunt

This is where things get a bit messier. Due to the scale and nature of the leak, it's very difficult to determine the full impact. Troy Hunt has a good write up explaining why this is the case, noting the incident could be seen as "either a tiny fraction of traffic or a large number of requests. In reality, it's both."

As a business owner there are 2 major questions you need to answer in order to assess the risk of this leak on your business:

  1. Was any sensitive data I am responsible for leaked?
  2. Were any of the services my business relies on impacted?

How do I know if sensitive data I'm responsible for was leaked by Cloudbleed?

This is possibly the easier question to answer. In one list of sites using Cloudflare, around 50,000 .au domains are shown. If any of your sites use Cloudflare, there is a chance that data transferred to it in the 6 month window may have been leaked. First determine if your site is hosted behind Cloudflare by contacting your site administrator if someone manages it for you, or checking DNS if you manage it yourself. If you are using Cloudflare, consider aspects of your site that may have been used to share sensitive data with you, here are some questions to consider:

  • Do you collect personal information? 
  • Do users log into your site with a password?
  • Do users share files with you via your site?

If you're using Cloudflare and you collected sensitive data via it in the past 6 months, you should think about what harm the leak could cause and consider taking measure to mitigate the risks.

How do I know if services we use were impacted by Cloudbleed?

Security notification sent to Cubits customers following Cloudbleed

Security notification sent to Cubits customers following Cloudbleed

In some instances you may have already been notified by services impacted by Cloudbleed. In some instances services will have taken proactive security measures like resetting passwords that will require you to act before service is restored. If you have been notified by service providers, you should review their guidance and follow any directions they provide.

Since Cloudflare is used on millions of websites, there's a strong possibility that you may never know the full extent of the leak. Its impossible to truely know what was leaked by Cloudbleed, but its important to consider what critical services your business relies on that may have been impacted. In case you don't already have a list of critical services, this is a good opportunity to take stock of what's critical to your business and undertake some good practice cyber security hygiene measures.

So what now?

If you've identified sensitive data under your responsibility that may have been leaked, you should consider the measures you can take to limit any harm. This can be a difficult task if you've not done it before so consider engaging professionals such as CyberAsk for help.

Even if your data is safe, we would recommend you look to safeguard your business by reviewing your critical services and changing passwords or restarting any authentication sessions you have with them. If you're unsure, you may want to contact their support team and ask for further guidance on what steps you can take.

Once your business systems are secure, consider doing the same thing with any critical personal accounts you may have and ask your staff to do the same. Take extra care if you use the same password between sites and set a new one on anything you consider sensitive or important.

What else should we do?

Sadly as our businesses continue to digitise and adopt cloud services, we become increasingly exposed to these types of risks. We're fortunate that in this instance Cloudbleed was discovered by a trusted researcher and Cloudflare were able to address the leaks quickly and effectively. It serves as a good reminder though that these things can and will happen in the future. To help manage these types of risks to your business, consider the following steps as a start:

  • Inventory the services you rely on and review their security risks
  • Consider implementing a password manager to improve password security and speed up future responses
  • Look to enable Two-Factor Authentication (2FA) wherever possible
  • Create incident response plans and review them on a regular basis

And lastly if you still have concerns or would like to understand how we can help you business regain control of its security risks, get in contact with us.

Adam Selwood