S’pore websites at risk of data leak caused by Cloudbleed bug

SINGAPORE — Singapore-registered Web domains could be among those exposed to the Cloudbleed bug, which causes private information keyed into supposedly secure websites to be leaked.

The authorities are monitoring the situation but no data leaks have been reported by companies or individuals so far.

Around the world, the bug has hit up to hundreds of thousands of URLs belonging to websites using the services of Internet infrastructure provider Cloudflare. A bug in Cloudflare’s software caused information from websites to be leaked, and some of the data have been cached by search engines such as Google and Yahoo, causing them to be publicly accessible.

Globally, passwords from sites owned by organisations including Fitbit, OkCupid and Uber have reportedly been leaked for months, according to a Business Insider article. Cloudflare was quoted in the report saying that data had been leaked between September last year and this month.

A list of more than 2,500 Singapore websites — owned by various organisations in the private and public sectors — at risk of being affected by the Cloudbleed bug has also surfaced.

For example, domains belonging to news websites mothership.sg and tamilmurasu.com.sg and transport service beeline.sg, were on the list. However, TODAY understands that these sites were not affected by the bug.

In response to media queries, the Cyber Security Agency of Singapore said it is monitoring the situation. “Organisations can seek help from SingCert (Singapore Computer Emergency Response Team) if they encounter cyber security incidents,” said Mr Dan Yock Hau, director of National Cyber Incident Response Centre.

The threat was flagged last Friday by SingCert, which warned of a “critical system vulnerability” caused by the bug.

Cloudflare hosts more than 5.5 million websites.

“Search engines such as Google, Yahoo, etc could have cached some of the leaked memory through their normal crawling and caching processes. Visitors who have keyed in their personal data on affected websites could potentially be at risk,” SingCert said in its advisory.

It urged website administrators using Cloudflare services to perform their own risk assessment.

According to SingCert, Cloudflare has identified a total of 770 unique URLs of such cached content, and has gotten the cooperation of search engine providers to purge them.

A Personal Data Protection Commission (PDPC) spokesman said that to date, it has not been notified by organisations or individuals here that their data have been compromised due to the bug.

“The PDPC will continue to monitor the situation and may investigate should there be any indication of a potential breach of personal data protection obligations,” the spokesman said.

In the Business Insider article, Cloudflare chief technology officer John Graham-Cumming said that most of the exposed data have been removed from the caches of search engines including Google.

At its peak earlier this month, about 120,000 webpages were leaking information every day, he said.

Cyber security experts here told TODAY it is possible that some Singapore companies might have been affected but were unaware of it.

Mr Anthony Lim, director of Cloud Security Alliance, said: “It is hard to tell how widespread this bug is, as bugs are hard to detect, unlike attacks. There is no immediate protection till someone builds a patch, which Cloudflare has ... What companies should do now is build their defences, as hackers will now try to exploit the vulnerability.”

Mr Bill Taylor-Mountford, vice- president (Asia-Pacific & Japan) for security intelligence firm LogRhythm, said companies here that use Cloudflare’s services should verify if their data have been compromised, and take immediate corrective actions if necessary.

“While the full extent of damage from the Cloudbleed leak has yet to be established, what is worrying is that this vulnerability existed for almost five months before it was discovered and subsequently rectified,” he said. He added: “For consumers, to be on the safe side, they should consider changing the passwords to sensitive accounts.”