Sensitive personal data including cookies, API keys, and passwords has been leaked by web optimization giant Cloudflare. The company — which provides SSL encryption to millions of sites
across the internet — announced the leak in a detailed post on its blog
last night. The company said that it had not yet identified any
malicious uses of the information, but noted that there was an
additional problem because some of the data had been cached by search
engines.
The problem was initially spotted by Tavis Ormandy,
working for Google's Project Zero security initiative, on February 18th,
but the flaw may have been in effect as early as September 22nd last
year. Cloudflare says the biggest outpouring of information started on
February 13th when a shift in code meant one in every 3,300,300 HTTP
requests potentially resulted in memory leakage — a significant figure
for a network the size of Cloudflare.
Ormandy says he found hotel bookings, passwords from
password managers, and full messages from dating sites among the cached
data. "I didn’t realize how much of the internet was sitting behind a
Cloudflare CDN until this incident,” he wrote on February 19th.
"We're talking full https requests, client IP addresses, full
responses, cookies, passwords, keys, data, everything." After spotting
Ormandy's Twitter message,
Cloudflare engineers disabled three features
that used the broken code that caused the issue, and moved to work with
search engines who had cached the information to clear it.
The leak (unofficially titled "Cloudbleed" in reference to 2014's Heartbleed exploit)
was the result of a "buffer overrun," Cloudflare said, a problem caused
by a mistake in its code. Cloudflare said the bug had been present in
its code for years, but had not been uncovered until it switched from
the Ragel parser to a new parser called cf-html, a move which "subtly
changed the buffering" and made the leak happen, "even though there were
no problems in cf-html itself."
Explaining the delay in announcing the leak, Cloudflare
says its "natural inclination was to get news of the bug out as quickly
as possible," but that it felt it "had a duty of care to ensure that
search engine caches were scrubbed before a public announcement." It
also said it conducted a search of sites such as PasteBin for
repositories of leaked information but found nothing.
Cloudflare's blog post claims that it took just over
seven hours for it to stem all three sources of potential leaks, and
Ormandy says he was "really impressed" with its quick response to the
problem. Still, it might be a good idea to change your passwords,
especially given how deeply embedded into the internet CloudFlare is.
Post a Comment