Monzo's response to Cloudbleed


(Tristan Thomas) #1

Last night, Cloudflare and Google’s Project Zero published details of a security incident affecting websites and apps that use Cloudflare, nicknamed “Cloudbleed.” The bug can lead to the compromise of sensitive data from websites and APIs that use Cloudflare. There is no risk to the vast majority of Monzo customers. However, we believe strongly in being transparent with our community, so we’re publishing a full report about the incident’s effect on our service.


(Josh Bray) #2

Thanks for being transparent on this issue.
Prevents rumours more than anything


( surohpotsirhC) #3

Changed my password anyway to TheJamesNicholsonExperience.


(Hal Ponton) #4

Firstly thanks for the transparent review of this issue. It’s nice to see a bank (or any company) for that matter doing this publicly.

I note that community.monzo.com redirects to getmondo.bydiscourse.com Discourse has the ability to place a community behind Cloudflare and many community admins do.

So was / is the Monzo community behind Cloudflare (it doesn’t seem to be at the moment) and if so have any steps been taken to mitigate the risk of community members private details being leaked through the Cloudbleed bug

Thanks


(Kenny Grant) #5

Great to see a bank respond to issues like this with a detailed and open report. What a contrast to the other banks I use.


(Richard Dingwall ) #6

I can confirm community.monzo.com was not behind Cloudflare during the affected period. :slightly_smiling_face:


(Andrew Ross) #7

Transparent, straight to the point and prompt - why I believe in :monzo: so much!


(Hal Ponton) #8

Thanks Richard, thats great. And a fast response as well.


#9

Thanks for the prompt and full briefing.

I see CloudFlare was instead focusing on the font, case and size of their logo in September 2016, when the vulnerability was created: Six years old and time for an update: CloudFlare becomes Cloudflare, 27 Sep 2016


#10

Do you expect to continue to proxy requests through a third-party once the API comes out of beta? Do your agreements with CloudFlare conform to the protections that you need to offer customers as a regulated bank?


(Tommy Long) #11

Well, Monzo is hosted on a third-party (Amazon Web Services) and will realistically continue to be in the future (since AWS, etc. are the future) and so will always be reliant on third parties. The actual agreements that matter are those with AWS since they hold the data and host the API methods. The agreements with AWS should be pretty thorough since AWS do a lot of government business.


(Jolin) #12

Yes, I was also wondering if there are any infrastructure changes planed given Monzo’s experience with Cloudbleed. Really appreciate the transparency (thanks!), so not trying to detract from that. Just curious if there’s a “lessons learned” that came out of this as well.


#13

The actual agreements that matter are those with AWS since they hold the data and host the API methods.

The agreements with CloudFlare matter too; they are proxying sensitive customer information.


(Oliver Ford) #14

Good idea. We can’t advise on how strong of a password that is though, if that was your goal in sharing, since it just shows as *************************** to us. (But you should be able to see it in the quote still, since it’s your password.)


(Jeremiah Cuddlestone) #15

I presume that if you were a bank you would have to disclose this to all the affected users individually but I haven’t received any kind of personal notification about this problem. Are there plans in place to actively notify users about breaches like this in the future? I hate to say it but I imagine that given that you’re hosting sensitive data on AWS, it’s only a matter of time before this kind of thing happens again.


(Alex Sherwood) #16

Monzo is a bank, it has a banking license. It doesn’t have a full license yet but I presume that it’s obligations in this area are the same as they would be, if it did.

As the blog says,

Only clients of the developer API are affected.

so unless you created a client on the developer’s site & used it to sign into a 3rd party developer’s app, there is no risk that sensitive information related to your account has been leaked.

There are very few users who’s data has been put at risk by cloudbleed -

We do not yet allow apps built using our beta developer API to be made publicly available, so usage is very low – specifically, only developers themselves and a limited number of users they explicitly whitelist can use the API.

It’s also worth noting that Monzo published this blog over an hour before it’s most similar competitor (which also has a banking license) had even publicly acknowledged the issue & that AFAIK, that competitor has not publicly broken down the risks to it’s customers, although it has advised them to change their passwords - something that Monzo users haven’t had to do.

Hosting on AWS is not a vulnerability, as long as the necessary safeguards are put in place. If it was an unreasonable risk, the regulator would not allow Monzo to use the service - a restriction they lifted in November 2015.


(Jeremiah Cuddlestone) #17

Hosting on AWS is not a vulnerability, as long as the necessary safeguards are put in place. If it was an unreasonable risk, the regulator would not allow Monzo to use the service

I bet you would have said the same about Cloudflare last week.


(Esther Kho) #18

Not unless they have to meet the same lengthy requirements as AWS does with financial institutions in the EU…http://www.allthingsdistributed.com/2015/03/aws-and-eu-data-protection.html