Skip to main content

Popular Website Image Optimization Service Cloudfare May Have Exposed Data

By March 13, 2017May 25th, 2021Cybersecurity

While Cloudflare isn’t a household name, it is one of the titans of the internet, having a massive presence as a reverse proxy service. It provides security and serves optimized content to many Fortune 500 companies and a whole host of smaller ones.

From September of last year to Feb. 20 of this year, thanks to a series of unfortunate events revolving around routine upgrades, an old HTML parser was activated. The results of the activation of the old parser were that a very small percentage of incoming page requests, amounting to 0.00003% of the total number of requests the company received, were compromised. This amounts to roughly one out of every 3.3 million requests the company received.

Operationally, this bug resembles Heartbleed, but was limited to Cloudflare servers. In instances where data was exposed, it was complete, but given the sheer number of companies that use Cloudflare, the company’s recommendation is for everyone who uses the internet to reset all passwords.

A Google researcher stumbled on the bug by accident while working on a totally unrelated project. Cloudflare personnel were notified on Feb. 18, the same day the bug was confirmed.

They assembled a rapid response team and had resolved the issue by Feb. 20, but again, given the size and scope of Cloudflare’s client base, the recommendation stands. It is in every internet user’s best interest to change all passwords immediately. That’s all the more important given the unfortunate reality that too many people tend to use the same password across multiple websites, so if any of your information was swept up by a hacker during the period of vulnerability, it could lead to a total compromise of your identity.

Note that if your company makes use of Cloudflare’s services, your company’s data may have been exposed. At the very least, user names and passwords allowing hackers to access company accounts may have been exposed, so to be safe, changing those may be wise.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.