Cybersecurity is one of the major concerns of the cryptocurrency industry. As the cyberthreats increase, online platform operators are flocking to performance and security solutions providers like Cloudflare to ensure that their websites are protected from DDOS and other attacks. But what happens when something goes wrong with the service that is meant to protect digital property worth millions of dollars?
A recent issue with Cloudflare’s edge servers created a sense of panic among many cryptocurrency exchange operators. Some of them have asked their users to take precautionary measures by changing their login credentials and resetting two-factor authentication for their accounts.Cloudflare reported the recent memory leak issue, known as Cloudbleed in its recent blog post.
According to the blog, Cloudflare was informed of the issue by Tavis Ormandy from Google’s Project Zero. Ormandy reported the security problem with Cloudflare’s edge servers, which he discovered while investigating corrupted web pages. The company offering more details about the incident said,
“…our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.”
However, Cloudflare has clarified that the customers’ SSL private keys were not compromised by the bug as the service always terminates SSL connections through an isolated NGINX instance. The memory leaked by the Cloudbleed bug could have contained private information which was cached by search engines. The issue seems to have gone unnoticed for almost a week, affecting 1 in every 3.3 million HTTP requests made through Cloudflare.
BTC-e, the Bitcoin exchange and betting platform has suggested a series of measures to its users to prevent any undesired aftermath incidents. The advisory issued by BTC-e is as follows,
1) You should change your account password before 16:00 (GMT +3) on 26.02.2017. If you fail to do so, your password will be reset automatically.
If you enabled 2-factor authentication between the 12th and the 20th February 2017, we strongly recommend you disable and re-enable it again.
2) You should re-create your API keys (info, trade, btc-e code withdraw coupon) before 16:00 (GMT +3) on 26.02.2017.
If you fail to do so, all your keys will be blocked automatically.
3) Cloudflare explicitly mentions that SSL certificates were not leaked. However, we will change SSL certificates for btc-e.com and btc-e.nz within the next several days to provide additional security.
It is always a good idea for users to review and reset their credentials at regular intervals. Irrespective of whether one is using BTC-e, its APIs or not, they should try to follow the suggestions as applicable to ensure that they are not affected on a later date.
Ref: Cloudflare | BTC-e | Image: NewsBTC