On February 17 an individual had discovered a bug with the Cloudflare infrastructure, a company that many bitcoin companies use for DoS protection and other services. The severity of the bug is considered very bad, and security credentials for many bitcoin accounts should be changed.
Cloudbleed Vulnerability May Affect Bitcoin Users
The Cloudflare system has reportedly been leaking significant amounts of uninitialized memory which could contain sensitive data, including two-factor authentication (2FA) secrets and passwords. According to many reports including the person who found the bug, this may have been happening for months, and the data may have been spraying onto the open web.
The leak could possibly lead to people’s accounts being compromised on many bitcoin websites and services. Bitcoin websites that could be affected include Coinbase, Localbitcoins, Poloniex, Kraken, Bitfinex, Bittrex, Bitstamp, Reddit, and many more. Many people in the bitcoin community are warning others to reset their 2FAs and change passwords immediately. Alongside this, bitcoin companies who may have been affected are also warning customers to take the necessary precautions.
“A bug was recently discovered with Cloudflare, which Kraken and many other websites use for DoS protection and other services,” states the San Francisco-based bitcoin exchange Kraken. “Due to the nature of the bug, we recommend as a precaution that you change your Kraken security credentials: Change your password, Change your two-factor authentication (remove and re-enable it), Clients who use API keys should generate a new set of keys. You should similarly change your security credentials for other websites that use Cloudflare.”
The Extent of the Damage Could be Severe
The Cloudflare issue is very reminiscent of the Linode attacks in 2012 and the Heartbleed vulnerability back in the spring of 2014. However whether or not Cloudflare’s leak got into malicious hands is undetermined, but Bitcoiners on forums are shaken up. The uninitialized memory held by the Cloudflare service includes data such as cookies, HTTP content, passwords, and TLS certificates. The person who discovered the bug, Taviso says, “Cloudflare reverse proxies are dumping uninitialized memory.” Furthermore, Taviso also details “It took every ounce of strength not to call this issue ‘Cloudbleed’”
“I don’t know if this issue was noticed and exploited, but I’m sure other crawlers have collected data and that users have saved or cached content and don’t realize what they have, etc.,” explains Taviso’s opinion concerning the extent of the damage. “We’ve discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!).”
To stay precautious Bitcoin users should take a few minutes to change their passwords and reset their 2FA’s on certain accounts. A full list of password managers, 2FA services, and bitcoin companies that may have been affected can be found here.
What do you think about Cloudbleed? Let us know in the comments below.
Images courtesy of Shutterstock, and Pixabay.
What’s the quickest way to see the current bitcoin price in your local currency? Click here for an instant quote.