*New Security Leak Reveals Personal Data at 3,400 Websites

TechViews News   …..

Cyber criminals cause havoc by breaking into web services with attempts to steal personal data. And they can use various hacking methods with names like brute force, social engineering, zero-day exploits and software exploits and hacks.

But what if a simple typo could inadvertently leak out data without hacker intervention?

A coding error in a popular web hosting company’s programming was discovered to cause thousands of websites to leak sensitive data including passwords, encryption keys and cookies for months.

Affected sites include services like Yelp, OKCupid, Uber, Fitbit, Patreon, Fiverr, Forbes, and many others.

Cloudflare, whose service is used by more than 5.5 million websites, admitted that there was indeed a serious memory leak that may have contained sensitive information.

Google’s Project Zero researcher and bug hunter Tavis Ormandy spotted the issue on February 18th and promptly informed Cloudflare about it.

(If you can recall, Ormandy is the same researcher who exposed flaws and bugs in popular software such as Symantec and LastPass.)

The Cloudflare leak was apparently caused by a single typo. The vulnerability occurs by using the character – ‘>’ rather than ‘=’ – in websites using Cloudflare’s software source code.

It is thought that the data leakage may have been going on as far back as September 22 of 2016. And to make matters even worse, leaked sensitive data may have been cached by search engines which made this bug even more serious.

Here’s a list of some of the notable sites affected by “Cloudbleed”:

  • authy.com
  • coinbase.com
  • betterment.com
  • fiverr.com
  • transferwise.com
  • prosper.com
  • digitalocean.com
  • patreon.com
  • bitpay.com
  • news.ycombinator.com
  • producthunt.com
  • medium.com
  • 4chan.org
  • yelp.com
  • okcupid.com
  • zendesk.com
  • ziprecruiter.com
  • uber.com
  • poloniex.com
  • localbitcoins.com
  • kraken.com
  • 23andme.com
  • curse.com (and some other Curse sites like minecraftforum.net)
  • counsyl.com
  • tfl.gov.uk

Since the sensitive data has been potentially exposed for months and was cached publicly in search engines, it is wise to change your passwords if you are using any of the affected Cloudflare sites.

To read Cloudflare’s official report on the incident, click here.

**********

Be Safe – Backup Your Data Regularly!

And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet SecurityBe Safe – Backup Your Data Regularly!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s