NOTICE: Cloudflare bug is reminder to practice good password management
Friday, February 24, 2017
A number of popular websites that use Cloudflare exposed personal information as a result of a recently discovered bug in Cloudflare's software. The bug, identified by Google researchers, has been fixed, but passwords, private messages, and other sensitive data may have been exposed.
Pieces of data sent and received by sites using Cloudflare were inadvertently slipped into webpages. According to The Register, "that means if you visited a website powered by Cloudflare, you may have ended up getting chunks of someone else's web traffic hidden in your browser page." The problem was exacerbated by search engines caching the leaked information.
We are not aware of any U-M services or websites that have any connection to Cloudflare.
If, however, you use sites that use Cloudflare—which include Uber, FitBit, OKCupid, and many more—you may want to consider changing your passwords for those sites. GitHub is compiling a list of sites possibly affected by the bug.
In general, you can best protect yourself against the effects of security vulnerabilities like this by practicing good password management:
- Use a unique password for each service or website. That way, if a password is compromised, it only affects one service.
- Do not use your UMICH password outside the university. We recommend that you use your UMICH (Level-1) password only for U-M services. Other services may not provide the same level of password protection that U-M does.
- Change your passwords on a regular basis. We recommend, for example, that you change your UMICH password every six months. A good way to remember this is to change your password when you change your clocks for the start and end of Daylight Saving Time (see Password Security Checklist).
- When in doubt, change your password. If you suspect a problem with a password, change it. Be sure to choose a strong password that cannot be guessed.
- Choose two-factor. Take advantage of two-factor authentication whenever it is offered. This provides an extra layer of security. You can turn on two-factor for Weblogin at U-M, for example.
- Google Just Discovered A Massive Web Leak... And You Might Want To Change All Your Passwords (Forbes, 2/24/17)
- Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug (The Register, 2/24/17)
- Serious Cloudflare bug exposed a potpourri of secret customer data (Ars Technica, 2/23/17)
- Incident report on memory leak caused by Cloudflare parser bug (Cloudflare blog, 2/23/17)
- List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak (GitHub)