February 27, 2017

Cloudbleed Report

TL;DR No worries, we don’t use CloudFlare.

As you might have noticed last week, Google vulnerability researcher Tavis Ormandy has discovered a major security bug, now known as “Cloudbleed”, in Cloudflare’s CDN that has caused Cloudflare to “have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc.” More can be seen here.

You might be concerned that some of yours (or your users’) sensitive data might have been compromised by this vulnerability. CloudSponge does not, and has never used CloudFlare, so your data is safe from this vulnerability. CloudSponge takes your data and privacy very seriously, and implements the highest industry standards of security on our systems.

Our API/Widget is is protected by multiple layers of security:

  1. SSL/TLS. This puts the “S” in HTTPS, and your traffic to our API or Widget is protected in house. This is what data may have been exposed due to the Cloudflare bug during the vulnerable period, (but remember we weren’t using Cloudflare)
  2. Data collected from your users address books are securely stored in memory within our network, that data does not leave us until it heads back to your user through SSL/TLS. This data is removed from memory , and is never written to a database or disk, ever.
  3. CloudSponge utilises a WAF (Web Application Firewall) which adds a further layer of protection against malicious activity, such as Cross Site Scripting, and SQL injection attacks.

Your account data is protected by your account password, and is only accessible to you. As a good security practice you should change your password regularly, and a situation like Cloudbleed is a good time to remind ourselves about this. It doesn’t hurt to take a minute and update your account password now just to maintain your security.

Again, CloudSponge takes your security and privacy very seriously. We regularly perform vulnerability assessments, and keep abreast of the latest security research/attacks. In the event of a situation like Cloudbleed or Heartbleed we assess the situation, and our exposure to risk, and react as quickly as possible to update our systems. In the case of a breach (Our servers were not breached), we promise to react immediately to secure our systems, and then alert all of our customers of the potential risks, and solutions for them.

Kevin Willock, Infrastructure Engineer at CloudSponge

Follow @xipher

Create your sandbox account now

Get Started

Your trial doesn’t start until you go live.