[BreachExchange] Uber, Fitbit, OKCupid information exposed by wide-reaching flaw

Fri Feb 24 20:05:49 EST 2017

https://www.cnet.com/au/news/uber-fitbit-okcupid-cybersecurity-password-
information-exposed-wide-reaching-flaw/

Usernames and passwords leaked onto the open internet earlier this month
due to a security bug that affected 3,400 websites, including popular
services like Uber, Fitbit and OKCupid, according to a disclosure Thursday
by cybersecurity company Cloudflare.

You wouldn't mind if someone could break into the personal accounts you use
to track your movements, fitness and love life, would you?

While there's no indication hackers actually accessed usernames and
passwords, as well as a slew of other private information sent by users
over the services, the information was exposed both on corrupted versions
of the websites and in cached results on search services like Google and
Bing.

"The bug was serious because the leaked memory could contain private
information and because it had been cached by search engines," John
Graham-Cumming, Cloudflare's chief technical officer, wrote in a blog post
detailing the flaw.

Google security researcher Tavis Ormandy identified the flaw on Friday. In
his report about the bug, which also became public on Thursday, he said he
found "private messages from major dating sites, full messages from a
well-known chat service, online password manager data, frames from adult
video sites, hotel bookings."

The flaw originated in a widely used tool provided by Cloudflare, which was
meant to help manage and protect internet traffic for the affected
websites. In addition to usernames and passwords, messages sent over any of
these platforms -- and any other information sent via web browser to the
affected sites -- could have been exposed.

Uber and Fitbit didn't respond to requests for comment. OKCupid didn't
provide a comment. Graham-Cumming said 3,400 total websites were using the
tool that contained the flaw and confirmed these three were among those
affected. But he declined to name any other services that might have had
user data leak due to the problem.

A trickle of data, and then a surge

The flaw is now fixed and the leaked information has been purged from
search engines, meaning it's no longer exposed on the internet. After
Ormandy identified the problem and notified Cloudflare on Friday, the
company set up a team to fix the problem in a matter of hours. The flaw has
been resolved since Saturday.

The information was exposed in bits and pieces as users interacted with the
affected websites starting in September. The leak peaked in the week of
Feb. 13-17, Graham-Cumming said in an interview. The information would
appear on the webpage in a seeming string of nonsense, which users would
most likely not know how to interpret, Graham-Cumming said. The data
leakage was "ephemeral" because it would disappear the second a user closed
the web page.

More worryingly, though, the leaked information was also cached by search
engines like Google and Bing as they crawled the web and encountered the
corrupted web pages.

After fixing the flaw, Cloudflare focused on erasing any trace of the
leaked information from the internet. That meant working with search
engines to purge the cached records of the corrupted webpages.

What's the danger?

Graham-Cumming said users don't need to worry about changing their
passwords, because there is a very low chance that their login information
was found by someone who knew where to look for it.

However, in his report of the bug, Google researcher Ormandy said
Cloudflare's disclosure "severely downplays the risk to [Cloudflare]
customers." Ormandy was referring to a draft of the disclosure he saw
before Cloudflare went public with the news on Thursday.

It's not clear whether Ormandy thinks end-user information is more
vulnerable than Cloudflare is saying. Ormandy did not respond to questions
about whether end-users of the affected websites should change their
passwords or if they should be concerned about any other pieces of
information that could have been exposed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170224/a5a04058/attachment.html>