Dormant bug threatens security of over 4.2 million domains.
Thanks to the record-setting numbers of data breaches that have exposed literally hundreds of millions of consumer records, your chances of having someone use your identifying information against you are pretty good. But sometimes the culprit isn’t some hoodie-clad hacker in a darkened room. Sometimes, it’s the software that is supposed to keep your data safe.
Cloudflare has just learned that lesson the hard way, and is now in the process of notifying its customers that a software bug may have exposed identifying details of those companies’ customers. Cloudflare, which ironically, is dedicated to web security for its clients, discovered a long-time bug that had until recently never done any harm; a change to Cloudflare’s software “activated” the bug, or rather, stopped blocking its efforts to expose user information.
“The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer,” the company explained in its official statement. “This is known as a buffer overrun. Had the check been done using >= instead of == jumping over the buffer end would have been caught. The equality check is generated automatically by Ragel and was not part of the code that we wrote. This indicated that we were not using Ragel correctly.
“The Ragel code we wrote contained a bug that caused the pointer to jump over the end of the buffer and past the ability of an equality check to spot the buffer overrun.”
While there’s no complete list of websites associated with Cloudflare as of yet, some sources have already issued a brief list and an updated slightly longer list. These lists will help the public know if they have accounts on any of those sites, as their usernames and passwords may have been accidentally compromised. This is a real danger for those tech users who fall into the bad habit of reusing their passwords on other sites: if you have a password combination that was potentially compromised on an innocuous site but you also use it for your online banking login, that information could be “out there” and in the wrong hands.
Other companies who rely on Cloudflare services have been quick to notify their users that their information was not exposed. VPN provider TunnelBear, for example, sent the following message to its free and premium users:
“At this time, CloudFlare has confirmed with us that ‘Your domain is not one of the domains where we have discovered exposed data in any third party caches.’… If we had been impacted, it’s possible third parties could have had access to the email address and password you use for your TunnelBear account.”