lolloj - Fotolia
Risk & Repeat: Cloudflare bug poses incident response challenges
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the recent Cloudflare bug that leaked an undetermined amount of customer data over several months.
The Cloudflare bug discovered by Google's Project Zero was quickly mitigated, but the incident poses challenges for enterprises struggling to determine an appropriate response.
Cloudflare announced last Thursday that Project Zero researcher Tavis Ormandy had reported a major security problem with the content delivery network provider's edge servers. The Cloudflare bug was caused by a compatibility issue between an old HTML parser and a new version that was rolled out in September; it triggered a memory leak of private customer data, including passwords, cookies and tokens.
Cloudflare is still investigating the bug, which has been dubbed Cloudbleed, but any customer data transmitted between Sept. 22, 2016, and Feb. 17, 2017 could have been leaked.
While only a small fraction of customer HTTPS requests were actually leaked, the exposed data was cached by web browsers, and could have been swept up by a third-party web crawler. Cloudflare worked with search engine companies to remove the private data from the chaches before the bug was made public, but there are no guarantees whether the exposed data was picked up by other sources.
Further complicating matters for Cloudflare and enterprises is the fact that, while Cloudflare identified and turned off three minor features connected to the HTML parser issue, companies that didn't use those features could still be affected by the bug.
In this week's episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin break down the Cloudflare bug and how the company responded to the incident. They also discuss the challenges in determining the full scope of Cloudbleed's damage and debate how enterprises should respond.