Earlier this week, Google Project Zero researcher Tavis Ormandy released a report outlining vulnerabilities in Cloudflare’s content delivery network. The vulnerability was leaking private data from encryption keys to private messages belonging to users of some of the Internet’s biggest properties.
Earlier today, Threatpost’s Mike Mimoso quoted one of the affected sites:
“We are currently investigating the issue reported with Cloudflare’s service to understand how it impacts our users. We encourage anyone who believes they have an issue to notify our team at firstname.lastname@example.org. Concerned users can change their account password, followed by logging out and in to the mobile application with the new password. We recommend that users avoid reusing passwords associated with their email address or any other accounts, as this practice leaves them more vulnerable to malicious behavior.”
According to Robert Hansen, posting at OutsideIntel, the vulnerability potentially affects more than 5 million sites including such popular sites as FitBit and OkCupid. The bug was active from February 13 to February 18. During that period, one out in 3.3 million HTTP requests made through Cloudflare may have leaked data.
What does that mean for you?
Well if you use any of the sites listed on the list published by Gizmodo, you should probably change your password for safety’s sake. Overall, this is still an evolving story, so stay tuned to our friends over at Threatpost for the latest news.