Profile image
By SiteProNews (Reporter)
Contributor profile | More stories
Story Views

Last Hour:
Last 24 Hours:

Cloudflare Bug Leaks Passwords, Other Data From Its Customers’ Websites

Friday, February 24, 2017 9:09
% of readers think this story is Fact. Add your two cents.

Cloudflare is warning customers their data may have been compromised after a bug in its software exposed sensitive information such as passwords.

The bug, which has since been fixed, caused readable versions of passwords, cookies and authentication tokens to be exposed — and some of that data was cached by search engines. Cloudfare includes some major companies among its five-million strong customer base including Uber, FitBit and OKCupid.

The bug, which was discovered last week by Google’s Project Zero security expert Tavis Ormandy, was most active from Feb. 13 to Feb. 18 with roughly one in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage. However, security entrepreneur Ryan Lackey said the bug has potentially been active since September of 2016.

cf-logo-v-rgb“While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed,” Lackey said in a blog post. “Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations. There is always the potential someone malicious discovered this vulnerability independently and before Tavis, and may have been actively exploiting it, but there is no evidence to support this theory.”

Cloudflare, in a Thursday blog post, said after learning of the problem from Ormandy, it was able to take action quickly shutting off three minor Cloudflare features (e-mail obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were “all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.”

“Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day,” the company said. “The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under seven hours with an initial mitigation in 47 minutes.”

For average Web users, Lackey said the best course of action, rather than trying to figure out if sites and services they used were impacted, would be to change all of their passwords.

“While this might not be necessary (it is unlikely your passwords were exposed in this incident), it will absolutely improve your security from both this potential compromise and many other, far more likely security issues,” he wrote. “…rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites.”

Cloudflare offers a very technical explanation about the bug and how it was fixed. To read more, click here.


Jennifer Cowan is the Managing Editor for SiteProNews.

The post Cloudflare Bug Leaks Passwords, Other Data From Its Customers’ Websites appeared first on SiteProNews.


We encourage you to Share our Reports, Analyses, Breaking News and Videos. Simply Click your Favorite Social Media Button and Share.

Report abuse


Your Comments
Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

Top Stories
Recent Stories



Top Global


Top Alternative




Email this story
Email this story

If you really want to ban this commenter, please write down the reason:

If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.