Cloudflare memory leak dumps unknown quantity of sensitive, unencrypted data online

In a statement to CBS News, Cloudflare downplayed the leak, writing "We are very grateful to our colleagues at google for contacting us about the problem and working closely with us through its resolution".

The security hole came in Cloudflare's HTML parser, which instead of just parsing HTML also injected extra code. Unfortunately it seems that no thanks to a software bug, the service might have accidentally opened themselves up to a data breach in which the company warned that private data such as passwords, cookies, and authentication tokens might have been leaked. Also, search engines routinely cache web content for faster serving, and some of the leaked private data from Cloudflare sites had been cached by Google and other engines.

Cloudflare hasn't uncovered any evidence that the bug was discovered by anyone other than Ormandy - but it never hurts to refresh your passwords, particularly since they might still exposed in a cache. Cloudflare admitted that the concern might have been active since September 22 and reached its zenith from February 13 to February 18.

However, the bad news is that there is no way of knowing exactly what data may have leaked.

Cloudflare is an internet proxy that aims to protect websites from malicious attacks, such as distributed denial-of-service (DDoS) attacks.

"Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug", the company wrote in a blog post following Ormandy's public disclosure on Thursday.

The leak (unofficially titled "Cloudbleed" in reference to 2014's Heartbleed exploit) was the result of a "buffer overrun", CloudFlare said, a mistake in code generated by the Ragel parser the company previously used to compile. (When you visit a website, your browser makes an HTTP request to load the page.) According to Cloudflare, that means about.00003 percent of requests could have leaked personal information.

Cloudflare worked with the affected search engines, including Google, Yahoo, and Bing, to erase any remnants of the sensitive data from their caches.

Among the affected websites are the popular services such as Uber, Fitbit, and dating website OKCupid - each with millions of users worldwide.

"At the peak, we were doing 120,000 leakages of a piece of information, for one request, per day", the company's chief technology officer, John Graham-Cumming, told TechCrunch. "We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything", Ormandy wrote. This data was available to anyone, even web spiders used by search engines.

Cloudflare says a bug in its edge servers exposed the data of its customers, including the websites of some big names. Change passwords, use two-factor authentication and stay safe out there.

  • Carolyn Briggs