Some of the most popular Bitcoin services on the internet may have leaked sensitive user information, including passwords.
Cloudflare is a popular content delivery network that effectively acts as a sort of digital shield, a proxy that offers millions of websites DoS protection and other services. Some of the biggest websites on the internet use Cloudflare, including several well-known Bitcoin companies, like Coinbase, Kraken, LocalBitcoins, Poloniex and more
Any data sent to and from these websites essentially passes through Cloudflare. This includes passwords, as well as cookies, authentication tokens and other sensitive information.
Last week, an exploit now known as “Cloudbleed” — a reference to the Heartbleed security bug — was discovered by Google Project Zero security researcher Tavis Ormandy. A major flaw in Cloudflare’s infrastructure, caused by what is known as a “buffer overflow,” basically spilled data all across the internet. Whenever anyone requested data from a particular website or mobile app protected by Cloudflare, Cloudflare could randomly send data from completely different websites along with it.
“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users,” Ormandy wrote in his blog entry.
The vulnerability is significant in scope as well as length. It could have been exploited anytime between September 22 and February 20, while the period of greatest impact was between February 13 and 18. And as a potentially bigger concern, some search engines may have even cached the sensitive data as well, meaning it’s publicly available to anyone.
The good news is that the odds of sensitive data falling into the wrong hands so far seems relatively small. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence,” Cloudflare itself wrote in their incident report.
However, the bad news is that there is no way of knowing exactly what data may have leaked. Users of services that may have been impacted, therefore, should assume their data is no longer secure and change their passwords immediately. (This of course also includes passwords on non-Cloudflare websites that have been used across multiple sites.)
It seems less likely that accounts protected with two-factor authentication are vulnerable, though it may depend on the specific implementation; resetting it is still advisable. Those that use API keys should be reset too.
Cloudflare has since patched the bug, and some search engines (like Google) are removing any such data from their caches that they can find.
See this GitHub page for more websites that may have been affected by Cloudbleed.