오늘 하루 이 창 열지 않음

Cyber security showing many holes

2017-03-27 (월) Sean Chiang Troy HS 11th Grade

크게 작게

There are 4,287,625 domains, including Uber, FitBit, and Patreon, that may have been affected by a large security bug that leaked people’s personal information into others’ browsers. From as far back as September 22 to February of this year, user data has been slowly being leaked into Google and Bing caches as well as other bots that trawl the internet. This error affects almost all websites that utilize Cloudflare for security and content delivery, by causing pieces of user data to be dumped into web pages. The Orange County Register described this issue as sitting down at a clean table in a restaurant and being handed the previous diner’s wallet.

Tavis Ormandy, a vulnerability researcher on Google’s Project Zero team, reported to Cloudflare on February 17, that large chunks of data including sensitive user data was being cached in pages being crawled by Google’s search engine. In his attempts to reproduce the issue, he found that if an HTML page hosted by Cloudflare had a specific combination of unbalanced tags, it would intersperse pages of uninitialized memory into the output, meaning that if you were to access one such website, there could be chunks of your private information picked up by another website.

Cloudflare reacted within an hour of hearing of the issue from Ormandy, killing its Email Obfuscation service, and its Automatic HTTPS Rewrites a bit over three hours later. Logs on Cloudflare showed that the greatest amount of leakage occurred between February 13 and 18 with about 1 in every 3,300,000 HTTP requests resulting in memory leakage. Major news outlets have advised consumers of websites using Cloudflare to change their passwords, even for accounts protected by 2-factor authentication.

Cybersecurity today is a growing phenomenon as more and more people are entering the cyber world. Cyber attacks are growing with greater frequency and intensity yet they go unreported, or even under-reported, leaving users with a false sense of security. At WEST 2017, a conference held by the United States Navy, there was a discussion of the steps that the military is taking to expand the reaches of cyber in operations.