Cloudflare became a widely used content delivery network (CDN) over the past few years by offering attractive pricing and features such as DDoS protection. Many popular sites utilize Cloudflare for its feature set as well as its ease of integration. For many content management platforms (e.g. WordPress, Joomla and Drupal), it is trivial to integrate. Recently, a gaping security hole was found in Cloudflare which means you need to go update your passwords.
What is the Cloudflare Security Issue?
At its essence, the Cloudflare security issue was an issue with a parser where a memory leak could make public sensitive information. Some of this information was so public it was even being indexed by Google and other search engines. This, combined with the popularity of Cloudflare for handling sensitive transactional data, means that this breach got a nickname of “Cloudbleed” much like the venerable OpenSSL Heartbleed bug from years ago.
You can read more about the Cloudflare issues on their official blog post. We recommend reading that post.
How Widespread is the Cloudflare Issue?
Very. From what we gather, all Cloudflare proxy customers are vulnerable. In terms of official numbers, the company’s blog post states 1 in every 3,300,000 HTTP requests was impacted. When you have a massive number of requests, having a 0.00003% rate of requests being impacted means that a huge number of requests were hit. Note, this is not a 0.00003% chance of a leak, this is a 0.00003% are being claimed to actually have been leaked.
Just to see how massive it is, you can see a list of top 10,000 worldwide sites (per Alexa) that use Cloudflare here. The site also has links to tools so you can check millions of sites by name instead of downloading the entire list.
What Should You Do?
We are going to suggest it is time to change passwords. At STH we do not use Cloudflare as a CDN and therefore are not directly impacted. At the same time, many popular sites our readers likely visit were impacted. It is best to take this as an opportunity to update passwords. Also, this is being used as a potential nudge to start using two-factor authentication on any important accounts.