A recently-discovered bug in the systems of security company Cloudflare is giving many participants in the bitcoin industry a serious reason to worry. The memory leak, which is dubbed “Cloudbleed,” has also been cited as a case against centralization of system.
The bug in question is reported to have been in Cloudflare systems for several months, before being detected last September. The loophole could have leaked sensitive user information such as passwords, messages, encryption keys and cookies to anyone that might have showed interest in such. This constitutes serious security risk to users.
Reports have it that he memory leak was discovered and reported by Tavis Ormandy, a Google engineer. After learning about it, Cloudflare then took action to remedy the issue.
Most cryptocurrency platforms make use of Cloudflare services for anti-DDOS protection. This makes the security issue a thing of worry for bitcoin users.
Coinbase is thought to be among bitcoin websites where user accounts may have been compromised as a result of the Cloudbleed incident.
But the leak is not just an issue for those in the cryptocurrency space. The services of Cloudflare are also used by many other websites. More than 1.2 million user accounts spread across over 3,400 sites, including OKCupid and Uber, were allegedly affected.
Cloudflare has so far tried to downplay the gravity of the security issue. Its officials claim the level of risk is minimal and think the security threat has been blown out of proportion.
Cloudflare Chief Executive Officer Matthew Prince believes the bug may have been dealt with before being fully made the most of.
“It could have been extremely bad,” he told New York Magazine in an interview. “I think that we largely dodged a bullet.”
In spite of claims of minimal risk by Cloudflare officials, security experts advise users of possibly affected sites to consider changing their passwords, especially where financial transactions are involved. Cryptocurrency exchanges and services have been sending emails to their users requesting them to take precautionary actions to better protect their accounts. Suggested actions to remedy potential issue include change of passwords and API keys and activation of two-factor authentication.
The exact number of websites that are affected by the Cloudbleed memory leak is not known. Cloudflare, a company which protects millions of websites against DDOS attacks, is unwilling to share such information for security reasons.
But some observers say it is possible that many major websites may have been affected in the incident. This is based on the revelation that the leak probably started around Sept. 22 last year.
Aside Coinbase, other bitcoin-related platforms that use the services of Cloudflare include BitPay, Bitstamp, BTC-E, Kraken, LocalBitcoins and Bitfinex. Many, if not all, of these companies have already reached out to their clients to change their passwords at once.
It is not entirely clear if hackers and other online criminals were able to access user information as a result of the Cloudbleed bug. But the evidence suggests that may have happened.
Some observers say this incident shows how at risk websites can be, at the same time, when using the same provider for anti-DDOS protection.