Announcing a Return to our Roots: The All-New Bitcoin Magazine

Using a Bitcoin Service? You May Need to Change Your Password (Now)

by

         Using a Bitcoin Service? You May Need to Change Your Password (Now)

Some of the most popular Bitcoin services on the internet may have leaked sensitive user information, including passwords.

Cloudflare is a popular content delivery network that effectively acts as a sort of digital shield, a proxy that offers millions of websites DoS protection and other services. Some of the biggest websites on the internet use Cloudflare, including several well-known Bitcoin companies, like Coinbase, Kraken, LocalBitcoins, Poloniex and more

Any data sent to and from these websites essentially passes through Cloudflare. This includes passwords, as well as cookies, authentication tokens and other sensitive information.

Last week, an exploit now known as “Cloudbleed” — a reference to the Heartbleed security bug — was discovered by Google Project Zero security researcher Tavis Ormandy. A major flaw in Cloudflare’s infrastructure, caused by what is known as a “buffer overflow,” basically spilled data all across the internet. Whenever anyone requested data from a particular website or mobile app protected by Cloudflare, Cloudflare could randomly send data from completely different websites along with it.

“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users,” Ormandy wrote in his blog entry.

The vulnerability is significant in scope as well as length. It could have been exploited anytime between September 22 and February 20, while the period of greatest impact was between February 13 and 18. And as a potentially bigger concern, some search engines may have even cached the sensitive data as well, meaning it’s publicly available to anyone.

The good news is that the odds of sensitive data falling into the wrong hands so far seems relatively small. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence,” Cloudflare itself wrote in their incident report.

However, the bad news is that there is no way of knowing exactly what data may have leaked. Users of services that may have been impacted, therefore, should assume their data is no longer secure and change their passwords immediately. (This of course also includes passwords on non-Cloudflare websites that have been used across multiple sites.)

It seems less likely that accounts protected with two-factor authentication are vulnerable, though it may depend on the specific implementation; resetting it is still advisable. Those that use API keys should be reset too.

Cloudflare has since patched the bug, and some search engines (like Google) are removing any such data from their caches that they can find.

See this GitHub page for more websites that may have been affected by Cloudbleed.

Recommended

Bitcoin Wallet Forced to Drop Key Privacy Features From Google Play App

The privacy restrictions on Samourai's wallet will only affect the new version available on Google Play.

Colin Harper

Neutrino: A Privacy-Preserving Light Wallet Protocol

Jimmy Song explains Neutrino, a new protocol for light clients to get the data that they need while preserving privacy, without trusting a central server.

Jimmy Song

Blockchain Analysis Is About to Get Harder as P2EP Enters Testing Phase

“Privacy is essential for Bitcoin. Ideally we want to screw up [blockchain] analysis so badly, that they can't even make it.”

Aaron van Wirdum

Security Researchers Reveal Wallet Vulnerabilities On Stage at 35C3

The companies behind the hardware wallets claim not to have been given an opportunity to fix the vulnerabilities via responsible disclosure practices prior to the announcement.

Jimmy Aki