Written by Elliott Abraham, CISSP
Senior Security Architect at ADAPTURE

What is Cloudbleed?

There is a serious new internet bug in the news, and it even has one of those sinister sounding names. This bug, dubbed “Cloudbleed” by the security researcher who discovered it, is named in part because of its similarity to the Heartbleed bug, which infected more than 500,000 websites at its zenith nearly three years ago. But as troubling as the reality of Cloudbleed is, there is good news.

To quickly help illustrate what this bug is, imagine this scenario: you go to your favorite restaurant, and instead of only receiving the menu, you receive the menu but also what the patrons before you ordered. Not only do you receive what they ordered, you get their credit card numbers in addition to the usernames and passwords for several other websites that they frequent. Not only do you get the URLs of those websites, but the waiter also hands you photos with screenshots of the actual sites the patrons before you have visited—all while you sit there thinking, “I didn’t ask for any of this, I just wanted a meal.” This scenario is not so farfetched when one realizes the serious nature of the bug discovered in the Cloudflare Content Distribution Network code. Again, I’ll state this is a good news story.

Cloudflare is an internet security company that also helps spread traffic from high-volume websites across the internet to make content accessible from resources closer to the requestor. Cloudflare also provides SSL services. The company has some very large customers (Uber, OKCupid, Cisco and others). The nature of Cloudbleed is certainly serious, but this is a good news story.

Here is the good news.

It is often said that sunlight is the best disinfectant—meaning that transparency keeps threats out of the shadows. In the world of cybersecurity, to know better truly is to do better for well-intentioned companies. A Google Project Zero security researcher named Tavis Ormandy discovered this bug and reported it. It is beyond the scope of this post to discuss the technical details of the bug. But the good, no the great, news of this story is how swiftly and deliberately Cloudflare responded to Cloudbleed. Within 44 minutes of finding out about the bug, Cloudflare stopped it. It would take another 7 hours for the problem to be fixed completely, but Cloudflare acted very responsibly and transparently. A very detailed account of the bug can be found on the Cloudflare site.

This is a good news story because, rather than hide from the bug, Cloudflare reported great information, keeping users and customers well-informed. Threat actors are counting on the fact that we will be ashamed and hide in the shadows instead of sharing threat information in this way. Project Zero is doing great work.

Sunlight is the best disinfectant; that is the good news of this story. The more we all work together, the less likely it will be for threat actions to go unreported.