Cloudflare Bug Leaks Sensitive Data From Numerous Sites

Web traffic sent over this website and more than 3,000 others was exposed due to a flaw in tool provided by cybersecurity company Cloudflare

The heart of the issue was a security problem with Cloudflare edge servers, which were returning corrupted web pages by some HTTP requests running on Cloudflare's large network.

Company executives describe the bug as "series because the leaked memory could contain private information and because it had been cached by search engines". Many sites use it, including PCGamesN, Reddit, Patreon and Discord.

CDN and security provider Cloudflare has been leaking data from its TLS connections, Google researcher Tavis Ormandy has discovered - and despite his best efforts the flaw is now known as Cloudbleed. Figuring out how to reproduce the issue, the team "observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users". This was a big-deal bug, and it's been patched (though, in some cases, the more paranoid might want to change their passwords), and you're welcome to take my word for it and stop reading now. Even worse is the fact that this information, which could include passwords, API keys, private messages, and cookies, could have been cached by search engines, turning the matter into more than your standard security breach. As per the post that the company has uploaded, they said that they have not identified any malicious usage of the leaked info yet.

Cloudflare, one of the giants of internet security responsible for keeping the websites we all visit safe, is itself the source of a vulnerability that has the potential to rival the Heartbleed bug of 2014.




Around 0.00003% of HTTP requests through Cloudflare potentially resulted in memory leakage during that time.

Cloudflare said the earliest memory could have leaked was 22 September 2016. Most likely companies that you have online accounts with, This means your data may have been exposed.

"Cloudflare is behind numerous largest consumer web services (Uber, Fitbit, OKCupid, ...), so rather than trying to identify which services are on Cloudflare, it's probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites", Lackey wrote. Security entrepreneur Ryan Lackey recommended the same, though noted it was unlikely the average web user's password was in danger of being stolen. Nevertheless, Cloudflare also noted that an additional problem has been detected. That memory might have contained sensitive data, like passwords or private communications. Still, while reading the report, a sense that Cloudfare downplayed this issue remains. The information being leaked just looked like a mess of characters to the average user, but it quickly became clear to Ormandy what was happening. User data from 3,400 websites has been leaked and cached by search engines thanks to a bug in Cloudflare.

With assistance from Google, Bing, Yahoo, and others, Cloudflare found that data from at least 161 domains had been leaked and cached. However, with notification still not sent by Thursday, and Project Zero's "7-day" policy for actively exploited attacks being increasingly pushed, Ormandy made public his findings on Thursday.

Related news:

Hot News

isis-killer-beheading-video-story-top Could Mr. T break the Chicago curse on 'Dancing with the Stars?'
Feb 25, 2017 - 00:43
Girl power: Fifth Harmony's Lauren Jauregui , Dinah Jane , Normani Kordei and Ally Brooke , seen at an event in LA on February 12. The full list of stars competing for the DWTS mirrorball trophy will be revealed on Good Morning America on March 1.

The owner of Burger King is buying Popeyes for $1.8 billion
Feb 25, 2017 - 00:41
No further statement was issued by Restaurant Brands International (TSE:QSR). Shares of Popeyes fell slightly in after-hours trading to $78.85.

isis-killer-beheading-video-story-top Royal Bank of Scotland annual losses balloon to £7bn
Feb 25, 2017 - 00:41
The bank's return on tangible equity (RoTE) for the year was negative 17.9%, worsened from a negative 4.7% return in 2015. Restructuring costs a year ago amounted to 2.1 billion pounds, RBS reported.

isis-killer-beheading-video-story-top Fatal drug overdoses more than doubled since 1999, CDC finds
Feb 25, 2017 - 00:41
The majority of the deaths are attributed to opioids - heroin and prescription painkillers such as Oxycontin and Vicodin. The highest rates of drug overdose deaths occurred in West Virginia, New Hampshire, Kentucky and Ohio.

isis-killer-beheading-video-story-top Keep in touch with Analyst's Predictions: Oasis Petroleum Inc. (NYSE:OAS)
Feb 25, 2017 - 00:39
The company had revenue of $218.00 million for the quarter, compared to analysts expectations of $207.46 million. BNP Paribas Arbitrage SA increased its stake in shares of Oasis Petroleum by 949.4% in the second quarter.

Conte willing to risk sack to lead Chelsea to Premier League glory
Feb 25, 2017 - 00:39
But it was under Clement, who was serving as Carlo Ancelotti's No.2 back in 2010, that the 22-year-old was named in his first match day squad.

isis-killer-beheading-video-story-top Taoiseach 'intends to represent Ireland' at Brexit negotiations
Feb 24, 2017 - 00:57
Juncker told reporters he wants to make sure that Brexit does not rattle the 19-year-old peace agreement. "We want that language inserted into the negotiated outcome".

isis-killer-beheading-video-story-top Next Generation Super Series McLaren Gets Sideways in Video
Feb 24, 2017 - 00:57
And the more guttural sound promised by McLaren thanks to the new exhaust system takes you even higher up over the head. And if you're STILL not satisfied there's a little testing vid with McLaren's chief test driver Chris Goodwin below.

Angelina Jolie storms back after divorcing Brad Pitt
Feb 24, 2017 - 00:55
Along with these mega movies, Jolie is also mulling starring in The Bride of Frankenstein reboot and Sony's Shoot Like a Girl . Last month (Jan17), Angelina insisted he went above and beyond to help his mother ideal the picture.

US Treasury's Mnuchin dials back Trump economic promises
Feb 24, 2017 - 00:54
The benchmark 10-year Treasury yield was down over 2 basis points at 2.392 percent after hitting a two-week low. To view the full article, register now.

isis-killer-beheading-video-story-top Trump names Gen. HR McMaster new national security adviser
Feb 24, 2017 - 00:54
The general in reserve who was assuring the interim after Flynn's resignation will be promoted by Trump. Bush's administration for how it handled the war in Iraq. "This is a great team", Trump said .

isis-killer-beheading-video-story-top Trump sends top diplomats to Mexico with border tensions growing
Feb 23, 2017 - 00:59
The two countries plus Canada have their economies intertwined as a result of the North American Free Trade Agreement (NAFTA). But it remains to be seen how much of a tempering influence Kelly has on the president.

isis-killer-beheading-video-story-top Trader Alert: Unusual Volume Spotted in The Dow Chemical Company (NYSE:DOW)
Feb 23, 2017 - 00:59
The share price has moved forward from its 20 days moving average 1.37% and positively from its 50 days moving average 4.10%. Barometer Capital Management Inc. boosted its stake in shares of Dow Chemical Company (The) by 35.1% in the fourth quarter.

Supreme Court asked if Mexican family can sue in cross-border shooting
Feb 23, 2017 - 00:58
The court case stems from an incident that occurred in a cement culvert that separates El Paso, Texas, from Ciudad Juarez, Mexico. Even if the justices were to rule that the lawsuit can be filed, Sergio's family still would have to prevail on two other issues.

Hungary 'withdrawing bid to host 2024 Olympics'
Feb 23, 2017 - 00:58
Last month a local group began circulating a petition for the city to reconsider its bid, a movement that found the support of several political parties.