Cloudflare Leak Exposed Data From Millions of Websites

cloudflare-leak-exposed-data-from-millions-of-websites photo 1

Web services company Cloudflare recently patched a bug that could have exposed a broad range of customer data like passwords, chat transcripts, and other information stored by millions of websites.

The bug, discovered by Google security researcher Tavis Ormandy, allowed sensitive data from Cloudflare-powered websites to be cached by search engines, including Google.

"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings," Ormandy wrote in a Feb. 19 blog post. "We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

Cloudflare powers many popular websites, including Uber, Fitbit, and OkCupid, Forbes reports. But Cloudflare downplayed the bug's impact on consumers, explaining in a statement that it had not discovered any evidence of malicious exploits.

"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that's about 0.00003% of requests)," the company said.

Cloudflare client and password management company 1Password reassured its users that the bug did not put any of their data at risk. "At the moment, we want to assure and remind everyone that we designed 1Password with the expectation that SSL/TLS can fail," the company said in a statement. "Indeed it is for incidents like this that we deliberately made this design."

Related

  • The 5 Worst Hacks and Breaches of 2016 and What They Mean for 2017The 5 Worst Hacks and Breaches of 2016 and What They Mean for 2017

Some Uber session tokens were leaked, Forbes reports, which could have compromised some Uber accounts, but the company said those tokens have now been changed and no user passwords were leaked.

Still, given the potential scope of the vulnerability and the fact that the data could be cached by search engines, experts warned that sensitive data could be strewn about many corners of the web. Security researcher Ryan Lackey said the bug is a good reminder to do what you should be doing regularly anyway: change all of your passwords.

"Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations," Lackey wrote in a blog post. "From an individual perspective, this is straightforward—the most effective mitigation is to change your passwords."

Recommended stories

Relax Cloudflare Leak Exposed Data From Millions of Websites stories

How to Hack Wi-Fi Passwords

Your intensions when cracking a Wi-Fi password are no doubt noble—we trust you—so here's how to do it.

More stories