Private data leaked online by Cloudflare bug
Internet users Friday were being urged to change all their passwords in the wake of a Cloudflare bug that could have leaked passwords, messages and more from website visits.
A Cloudflare service used by millions of websites to enhance security and performance said that it had fixed the flaw quickly after being alerted a week ago by Google researcher Tavis Ormandy.
“It turned out that in some unusual circumstances, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data,” Cloudflare chief technology officer John Graham-Cumming said in a blog post.
“And some of that data had been cached by search engines.”
Essentially, sensitive data intended to be temporarily stored overflowed “buffering” memory space and was then tucked into more exposed spots such as web pages that could then be captured by online search engines, according to descriptions of the bug.
“We fetched a few live samples and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users,” Ormandy said in an online post about the flaw.
“This situation was unusual, (personally identifiable information) was actively being downloaded by crawlers and users during normal usage, they just didn’t understand what they were seeing.”
Ormandy said in a Twitter message fired off from @taviso that Cloudflare has been leaking information for months, jeopardizing supposedly secure data at major websites including Uber, OKCupid, Fitbit and 1Password.
A cry for people to change all of their online passwords because of the bug buzzed at Twitter, where “#CloudBleed” hashtag was a trending topic.