A security flaw has been uncovered in the major internet utility Cloudflare, which millions of web businesses depend on. The bug was serious because the leaked memory could contain private information and because it had been cached by search engines, Cloudflares response team said on Thursday.
A list of 4,287,625 possibly affected domains includes many in the bitcoin space. The data shared includes passwords, private messages, API keys, and other sensitive data, although such data could not be targeted, and fell in the hands of random requesters. While the earliest date memory could have leaked is September 2016, Cloudflare has had no reports that outside parties had identified the issue or exploited it.
- Cloudflare response team
The bug was discovered by Google vulnerability researcher Tavis Ormandy on Friday, who notified CloudFlare about the leak immediately. Within 47 minutes, CloudFlare reported the leak as plugged, and the underlying issues were corrected within 7 hours.
Self-described cypherpunk and former CloudFlare employee Ryan Lackey subsequently wrote up an in-depth how to deal with it article, approved by Ormandy. Lackey provides system administrators with advice on handling the problem, and advised all CloudFlare users about what to look for.
The most sensitive information leaked is authentication information and credentials, Lackey explains. A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced.
CloudFlare is one of the most popular content delivery networks, and used by all kinds of websites to lower bandwidth costs and protect against DDoS attacks. In the bitcoin service community specifically, major exchanges and utilities are on the list, including Coinbase, Blockchain.info, BTC-E, Bitpay, Localbitcoins, Glidera, Poloniex, BitcoinCharts, and Kraken.
Other major websites that Bitcoin users may visit on the list include Authy, Uber, Yelp, Medium, Upwork, Fiverr, Taringa!, Zoho, Pastebin, DigitalOcean, Namecheap, Glassdoor, Prosper, TorrentFreak, OKCupid, Zendesk, FitBit, oDesk, Pingdom, Techdirt, Statcounter, Typepad, Udemy, TechinAsia, Producthunt, and 4Chan, to name a few.
The users of these services are advised to change passwords and reset any two-factor authentication. While Cloudflares service was rapidly patched to eliminate this bug, data was leaking constantly before this pointfor months, states Lackey. Some of this data was cached publicly in search engines such as Google, and is being removed.
Bitpay was among the first in the bitcoin community to publically respond to the leak. We believe that it would not be possible for a BitPay users password to have been exposed by this bug, the company states, while recommending that users, take the time to reset your password.
Coinbase issued a statement several hours later. The company discovered a single instance of a leaked Coinbase session cookie, which they immediately invalidated. We have no reason to believe that any Coinbase customers personal data or account has been compromised. Users are advised to logout of any mobile apps and log back in to clear that session cookie. They also advised businesses using their API to get a new key.
The reclusive Russian exchange BTC-e also advised changing their API keys, and for safety gave their users until Sunday the 26th to change their login credentials. If not changed by then, users will be logged out of the exchange and be forced to change them before logging back in.
Kraken and Glidera both sent out an email to their users recommending a password and two-factor authentication update. Canadian bitcoin exchange QuadrigaCX posted similar instructions on the bitcoin Reddit forum.
- Bitpay
A similar wide-scale vulnerability affected the world in April 2014. The Heartbleed bug, which Cloudbleed is named after, was a weakness in site security encryption. The bug also leaked small chunks of private data from computer memory, but did so when websites used OpenSSL, a very common way for business websites and even banks to protect against hackers and theft. The fix for Heartbleed was more difficult than Cloudbleed, wherein websites had to upgrade to a new version of OpenSSL.
Bitcoin was also susceptible to the bug, and developers addressed the issue in Bitcoin Core version 0.9.1. Exchanges were the most vulnerable, but after the developers issued the patch, the major exchanges had all upgraded in a matter of hours. Cloudbleed, on the other hand, requires all users to take action in order to stay safe.
Read the original post:
The Cloudbleed bug affects a range Bitcoin users - Brave New Coin
- Google removes malware Android apps used to secretly mine bitcoin - April 26th, 2014 [April 26th, 2014]
- Bitcoin exchange MtGox liquidated - April 26th, 2014 [April 26th, 2014]
- Bitcoin Wannabe Litecoin Emerges as Low-Price Challenger - April 26th, 2014 [April 26th, 2014]
- The Worlds First Bitcoin Debit Card Is Almost Here - April 26th, 2014 [April 26th, 2014]
- How does Bitcoin work? - Bitcoin - Open source P2P money - April 26th, 2014 [April 26th, 2014]
- Bitcoin - Wikipedia, the free encyclopedia - April 26th, 2014 [April 26th, 2014]
- The Bitcoin Group #27 - China Bans Bitcoin Again - Politics - Dark Market - Bitcoin VC - Video - April 26th, 2014 [April 26th, 2014]
- Edan Yago - Free Market Bitcoin regulation and Honduras free trade zones.mp4 - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin vs. Political Power: The Cryptocurrency Revolution - Stefan Molyneux at TNW Conference - Video - April 26th, 2014 [April 26th, 2014]
- Video: Roundup of This Week's Bitcoin News 25th April 2014 - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin Fredagsbar med Torben Mark Pedersen - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin and the Internet of Money - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin for Dummies - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin runner-up Litecoin emerges as low-price challenger - April 27th, 2014 [April 27th, 2014]
- Bitcoin or Gold? Squawk Walk Taipei- Squawkonomics - Video - April 27th, 2014 [April 27th, 2014]
- Bitcoin Miner AntMiner S1 180 - 200 GH/s Nu in de Aanbieding! - Video - April 27th, 2014 [April 27th, 2014]
- New Bitcoin Documentary: Boom or Bust - Video - April 27th, 2014 [April 27th, 2014]
- Bitcoin May v0.9.1 GitHub Source Code Development Visualization - Video - April 27th, 2014 [April 27th, 2014]
- Atomic-Trade Bitcoin Exchange. AML, BSA, FinCEN compliant - Video - April 27th, 2014 [April 27th, 2014]
- China Bans Bitcoin Again -- Bitcoin the Movie -- Startup for Startups Raises 2,000 BTC - Video - April 27th, 2014 [April 27th, 2014]
- 4/24/14 - Xapo Debit Card, Russia's 1st Bitcoin Conference, Silk Road 2.0 - Video - April 27th, 2014 [April 27th, 2014]
- What is Bitcoin? - Video - April 27th, 2014 [April 27th, 2014]
- David Andolfatto, How Does Bitcoin Work? - Video - April 27th, 2014 [April 27th, 2014]
- Australian Bitcoin traders hit by crash - April 28th, 2014 [April 28th, 2014]
- Bitcoin traders hit by Mt.Gox crash - April 28th, 2014 [April 28th, 2014]
- Market Extra: Bitcoin venture capital money hasnt kept up with buzz - April 28th, 2014 [April 28th, 2014]
- Bitcoin price slips as China steps up regulation - April 28th, 2014 [April 28th, 2014]
- Bitcoin price slips on China regulation - April 28th, 2014 [April 28th, 2014]
- Win .33 Bitcoin ($150 or so, Depending on BTC value) - Meme game for May 1st - Take My Bitcoins - Video - April 28th, 2014 [April 28th, 2014]
- Ron Paul on Bitcoin - Video - April 28th, 2014 [April 28th, 2014]
- btc.sx Bitcoin derivatives platform George Samman clip - Video - April 28th, 2014 [April 28th, 2014]
- 'The Rise And Rise Of Bitcoin' Filmmaker: 'There Is No Answer Yet' - April 29th, 2014 [April 29th, 2014]
- Bitcoin the movie: It just had to happen - April 29th, 2014 [April 29th, 2014]
- Bitcoin Vies with New Cryptocurrencies as Coin of the Cyber Realm - April 29th, 2014 [April 29th, 2014]
- The Bitcoin Meetup - BitcoinMKE Hosts Jeffrey Tucker - Video - April 29th, 2014 [April 29th, 2014]
- MIT Bitcoin Expo 2014 - Video - April 29th, 2014 [April 29th, 2014]
- Bitcoin Expo 2014: Fireside Chat with Dr Gavin Wood - Video - April 29th, 2014 [April 29th, 2014]
- Rise Bitcoin Singapore - Video - April 29th, 2014 [April 29th, 2014]
- Preview: Bitcoin Authenticator - 2FA for wallets - Video - April 29th, 2014 [April 29th, 2014]
- The Bitcoin Group #27 (Live) - China Bans Bitcoin Again - Politics - Dark Market - Bitcoin VC - Video - April 29th, 2014 [April 29th, 2014]
- 4/25/14 - More China uncertainty, Missourian bitcoin warning, BadLepricon malware - Video - April 29th, 2014 [April 29th, 2014]
- Money & Tech at The Rise And Rise Of Bitcoin Afterparty - Video - April 29th, 2014 [April 29th, 2014]
- New Bitcoin student club at MIT will promote the virtual currency - April 30th, 2014 [April 30th, 2014]
- 4/29/14 - MIT Bitcoin Project, Mt Gox revival plan, Mastercard lobbyists & Team Rubicon - Video - April 30th, 2014 [April 30th, 2014]
- BitCoin Dentist GoCoin Fox News Interview - Video - April 30th, 2014 [April 30th, 2014]
- Bitcoin Foundation Election Hiccups -- Pathetic Ohio Bans Bitcoins -- Dogecon SF 2014 - Video - April 30th, 2014 [April 30th, 2014]
- Bitcoin Slips to $420 as BTC China Halts Transactions - Video - April 30th, 2014 [April 30th, 2014]
- MultiSig Plus BitCoin Multi Coin Wallet looks like HUGE INVESTMENT potential! - Video - April 30th, 2014 [April 30th, 2014]
- Bitcoin: what happens when the miners pack up their gear? - May 1st, 2014 [May 1st, 2014]
- Dark Wallet Is About to Make Bitcoin Money Laundering Easier Than Ever - May 1st, 2014 [May 1st, 2014]
- Bitcoin Talk Show #7 -- Skype BitcoinTalkShow to Call in Live! 🙂 - Video - May 1st, 2014 [May 1st, 2014]
- Basic Bitcoin Bitches - Video - May 1st, 2014 [May 1st, 2014]
- Gold standard vs Fiat vs Bitcoin - Truthloader - Video - May 1st, 2014 [May 1st, 2014]
- How to Defund the System: Bitcoin vs. the Central Banksters - Video - May 1st, 2014 [May 1st, 2014]
- Bitcoin, Anarchy and Freedom with Roger Ver - Video - May 1st, 2014 [May 1st, 2014]
- MIT Goes Bitcoin-Wild - May 1st, 2014 [May 1st, 2014]
- Bitcoin Weekly 2014 April 30: Bloomberg adds Bitcoin to their market index, MIT to produce campus-wide bitcoin ... - May 1st, 2014 [May 1st, 2014]
- 'Dark Wallet' wants to make Bitcoin even harder to trace - May 1st, 2014 [May 1st, 2014]
- Bitcoin made simple (video animation) - Video - May 1st, 2014 [May 1st, 2014]
- Jon Matonis: Bitcoin - The future of commerce? - Video - May 1st, 2014 [May 1st, 2014]
- $100 in Bitcoin Going to Every MIT Undergrad - Video - May 1st, 2014 [May 1st, 2014]
- The Rise of Digital Currency - Video - May 1st, 2014 [May 1st, 2014]
- Money Goes Virtual: The Bitcoin Bourse - Video - May 2nd, 2014 [May 2nd, 2014]
- Bitcoin Lights with LIFX - Video - May 2nd, 2014 [May 2nd, 2014]
- Bitcoin: How We Got Here and Where We Are Going - May 3rd, 2014 [May 3rd, 2014]
- 5/1/14 - Larry Summers warns critics, Paym system & Bitcoin Center NYC roundtable - Video - May 3rd, 2014 [May 3rd, 2014]
- On est Connect S2 #07 1/2 : BitCoin et Musique sur Internet - Video - May 3rd, 2014 [May 3rd, 2014]
- MIT Undergrads To Receive $100 Worth Of Bitcoin This Fall - Video - May 3rd, 2014 [May 3rd, 2014]
- Why it only took ME less than 2 minutes to believe in Bitcoin - Video - May 3rd, 2014 [May 3rd, 2014]
- Bitcoin Basics and Regulation Thoughts from NH Liberty Forum - Bruce Fenton - Video - May 3rd, 2014 [May 3rd, 2014]
- PRIMER CAJERO DE BITCOIN EN BIT CENTER DE TIJUANA - Video - May 3rd, 2014 [May 3rd, 2014]
- Yelp adds Bitcoin acceptance to business listings - Video - May 3rd, 2014 [May 3rd, 2014]
- Bitcoin A Terrorist Threat? Counterterrorism Program Names Virtual Currencies As Area Of Interest - May 4th, 2014 [May 4th, 2014]
- How Does Bitcoin Works - Video - May 4th, 2014 [May 4th, 2014]
- 10 Things You Didn't Know About BitCoin - Video - May 4th, 2014 [May 4th, 2014]
- BITCOIN The Future of Money - Video - May 4th, 2014 [May 4th, 2014]
- Bitcoin Miner Review - Video - May 4th, 2014 [May 4th, 2014]
- The Bitcoin Group #28 (Live) - Yelp Lists Bitcoin - MIT Bitcoin $100 - Dark Wallet - Ohio Bans BTC - Video - May 4th, 2014 [May 4th, 2014]
- Bitcoin: Gary North is Mentally Deranged And Bitcoin Will Change Everything - Video - May 4th, 2014 [May 4th, 2014]
- Who is the Bitcoin Warlord? - Video - May 4th, 2014 [May 4th, 2014]