A typo in the source code of a Cloudflare component has led to the exposure of the personal information of users of over 3,400 websites, including popular services like Uber, Fitbit, and OKCupid. The content delivery network has acknowledged the issue and said it has fixed the underlying problem.
Cloudflare bleeds data
Cloudflare helps optimize the security and performance of over 5.5 million websites. User data from 3,400 websites has been leaked and cached by search engines thanks to a bug in Cloudflare. The leaked data includes usernames, passwords, cookies, authentication tokens, API keys, and others. Among several other popular services, 1Password was also affected by this bug. However, thanks to end-to-end encryption, no customer data was exposed of 1Password users.
According to researchers, the leakage first began in September, five months before it was discovered. Some of the sensitive data was cached by Google and other search engines. This essentially means that the hackers had real-time access to the data.
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
Cloudflare has identified 770 unique URIs in the search engine caches that contained leaked memory. Cloudflare said the disclosure was made only after the leaked data was fully purged with the help of the search engines.
Cloudflare "severely downplays the risk to customers"
Cloudflare has acknowledged the issue was serious, but downplays its severity. "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."
Cloudflare CTO John Graham-Cumming said users don't need to worry about changing their passwords because there is a very low chance that their login information would be found.
The bug was reported to the company by Tavis Ormandy from Google’s Project Zero, who tried not to call the issue cloudbleed. [We hear you!] After Cloudflare published the blog post, Ormandy said that "it contains an excellent postmortem, but severely downplays the risk to customers."
"I don't know if this issue was noticed and exploited, but I'm sure other crawlers have collected data and that users have saved or cached content and don't realize what they have."
"While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point - for months," Security researcher Ryan Lackey agreed to Ormandy. "Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet."
"From an individual perspective, this is straightforward - the most effective mitigation is to change your passwords," Lackey added.