Cloudflare Bug Leaks Sensitive Data From Numerous Sites

​Cloudflare found leaking customer HTTPS sessions for months

The heart of the issue was a security problem with Cloudflare edge servers, which were returning corrupted web pages by some HTTP requests running on Cloudflare's large network.

Company executives describe the bug as "series because the leaked memory could contain private information and because it had been cached by search engines". Many sites use it, including PCGamesN, Reddit, Patreon and Discord.

CDN and security provider Cloudflare has been leaking data from its TLS connections, Google researcher Tavis Ormandy has discovered - and despite his best efforts the flaw is now known as Cloudbleed. Figuring out how to reproduce the issue, the team "observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users". This was a big-deal bug, and it's been patched (though, in some cases, the more paranoid might want to change their passwords), and you're welcome to take my word for it and stop reading now. Even worse is the fact that this information, which could include passwords, API keys, private messages, and cookies, could have been cached by search engines, turning the matter into more than your standard security breach. As per the post that the company has uploaded, they said that they have not identified any malicious usage of the leaked info yet.

Cloudflare, one of the giants of internet security responsible for keeping the websites we all visit safe, is itself the source of a vulnerability that has the potential to rival the Heartbleed bug of 2014.




Around 0.00003% of HTTP requests through Cloudflare potentially resulted in memory leakage during that time.

Cloudflare said the earliest memory could have leaked was 22 September 2016. Most likely companies that you have online accounts with, This means your data may have been exposed.

"Cloudflare is behind numerous largest consumer web services (Uber, Fitbit, OKCupid, ...), so rather than trying to identify which services are on Cloudflare, it's probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites", Lackey wrote. Security entrepreneur Ryan Lackey recommended the same, though noted it was unlikely the average web user's password was in danger of being stolen. Nevertheless, Cloudflare also noted that an additional problem has been detected. That memory might have contained sensitive data, like passwords or private communications. Still, while reading the report, a sense that Cloudfare downplayed this issue remains. The information being leaked just looked like a mess of characters to the average user, but it quickly became clear to Ormandy what was happening. User data from 3,400 websites has been leaked and cached by search engines thanks to a bug in Cloudflare.

With assistance from Google, Bing, Yahoo, and others, Cloudflare found that data from at least 161 domains had been leaked and cached. However, with notification still not sent by Thursday, and Project Zero's "7-day" policy for actively exploited attacks being increasingly pushed, Ormandy made public his findings on Thursday.

Related news:

Hot News

isis-killer-beheading-video-story-top Israel Denied A Human Rights Researcher's Visa For Promoting "Propaganda"
Feb 25, 2017 - 00:43
HRW, he said, had "demonstrated time and again it is a fundamentally biased and anti-Israeli organisation with a clear hostile agenda".

isis-killer-beheading-video-story-top Could Mr. T break the Chicago curse on 'Dancing with the Stars?'
Feb 25, 2017 - 00:43
Girl power: Fifth Harmony's Lauren Jauregui , Dinah Jane , Normani Kordei and Ally Brooke , seen at an event in LA on February 12. The full list of stars competing for the DWTS mirrorball trophy will be revealed on Good Morning America on March 1.

isis-killer-beheading-video-story-top The owner of Burger King is buying Popeyes for $1.8 billion
Feb 25, 2017 - 00:41
No further statement was issued by Restaurant Brands International (TSE:QSR). Shares of Popeyes fell slightly in after-hours trading to $78.85.

isis-killer-beheading-video-story-top Fatal drug overdoses more than doubled since 1999, CDC finds
Feb 25, 2017 - 00:41
The majority of the deaths are attributed to opioids - heroin and prescription painkillers such as Oxycontin and Vicodin. The highest rates of drug overdose deaths occurred in West Virginia, New Hampshire, Kentucky and Ohio.

Keep in touch with Analyst's Predictions: Oasis Petroleum Inc. (NYSE:OAS)
Feb 25, 2017 - 00:39
The company had revenue of $218.00 million for the quarter, compared to analysts expectations of $207.46 million. BNP Paribas Arbitrage SA increased its stake in shares of Oasis Petroleum by 949.4% in the second quarter.

isis-killer-beheading-video-story-top Winter Storm Warning issued
Feb 24, 2017 - 00:58
Heavy snow totals are expected as far east as Wisconsin by Friday night with eventual snow totals more than a foot in spots. Falling snow mixed with 25 to 35 miles per hour winds Friday will reduce visibility to less than a quarter mile.

isis-killer-beheading-video-story-top Taoiseach 'intends to represent Ireland' at Brexit negotiations
Feb 24, 2017 - 00:57
Juncker told reporters he wants to make sure that Brexit does not rattle the 19-year-old peace agreement. "We want that language inserted into the negotiated outcome".

isis-killer-beheading-video-story-top Next Generation Super Series McLaren Gets Sideways in Video
Feb 24, 2017 - 00:57
And the more guttural sound promised by McLaren thanks to the new exhaust system takes you even higher up over the head. And if you're STILL not satisfied there's a little testing vid with McLaren's chief test driver Chris Goodwin below.

isis-killer-beheading-video-story-top Late surge allows Heels to take down Louisville
Feb 24, 2017 - 00:56
Since Jan. 7, the Cardinals are 10-2 SU and 8-4 ATS in a stretch that includes solid wins at home over Duke, Clemson, and Miami. Pitino said. " And he is a coward , but North Carolina is a classy place and he doesn't speak for the rest of the people".

isis-killer-beheading-video-story-top Cowboys and Cardinals will hook up in 2017 Hall of Fame Game
Feb 24, 2017 - 00:55
You can look for ticket packages to the game at hofexperiences.com/2017-pro-football-hall-of-fame or by calling 844-751-0532. In a switch, the game itself will now kick off Hall of Fame weekend, instead of being the final piece of the ceremonies.

isis-killer-beheading-video-story-top US Treasury's Mnuchin dials back Trump economic promises
Feb 24, 2017 - 00:54
The benchmark 10-year Treasury yield was down over 2 basis points at 2.392 percent after hitting a two-week low. To view the full article, register now.

isis-killer-beheading-video-story-top Trump sends top diplomats to Mexico with border tensions growing
Feb 23, 2017 - 00:59
The two countries plus Canada have their economies intertwined as a result of the North American Free Trade Agreement (NAFTA). But it remains to be seen how much of a tempering influence Kelly has on the president.

isis-killer-beheading-video-story-top Trader Alert: Unusual Volume Spotted in The Dow Chemical Company (NYSE:DOW)
Feb 23, 2017 - 00:59
The share price has moved forward from its 20 days moving average 1.37% and positively from its 50 days moving average 4.10%. Barometer Capital Management Inc. boosted its stake in shares of Dow Chemical Company (The) by 35.1% in the fourth quarter.

isis-killer-beheading-video-story-top Supreme Court asked if Mexican family can sue in cross-border shooting
Feb 23, 2017 - 00:58
The court case stems from an incident that occurred in a cement culvert that separates El Paso, Texas, from Ciudad Juarez, Mexico. Even if the justices were to rule that the lawsuit can be filed, Sergio's family still would have to prevail on two other issues.

isis-killer-beheading-video-story-top Hungary 'withdrawing bid to host 2024 Olympics'
Feb 23, 2017 - 00:58
Last month a local group began circulating a petition for the city to reconsider its bid, a movement that found the support of several political parties.