Sensitive data has been leaked across the Internet by CloudFlare for months due to a memory leakage bug in the content delivery network’s edge servers.
Rather than a malicious data breach caused by hackers, the leak was down to a flaw that enables sensitive information such as passwords, cookies, and authentication tokens to be visible as plain text on websites of CloudFlare’s customers.
Normally this information is obscured from view or encrypted, but the bug would have allowed for visitors to see the sensitive data on the sites for which CloudFlare provides content delivery, security and performance services.
“Our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines,” explained John Graham-Cumming, CTO at CloudFlare.
Overall, Graham-Cumming said the memory leakage only affected 0.00003 percent of HTTP requests made to CloudFlare’s edge servers – around one in every 3,300,000 HTTP requests. However, given CloudFlare’s customers number around five million, that still means a good number of websites could have been affected by the bug.
Furthermore, the cached data made it challenging for CloudFlare to conduct clean up operations after the bug was patched, as it needed to ask browser providers, such as Google, Yahoo and Microsoft’s Bing to remove the sensitive data from their user’s browser caches.
That being said, Graham-Cumming noted that there has been no indication that the leaked data has been exploited by malicious actors or hackers, as CloudFlare would have detected unusual activity on its customer’s websites should that have been the case.
Yet this does not mitigate that the bug was a major security flaw, particularly as it not only exposed passwords and other security data but also exposed potentially embarrassing private messages made by users of the OKCupid online dating service as well as messages on what a Project Zero researcher describes as a well-known chat service.
“We keep finding more sensitive data that we need to cleanup. I didn’t realise how much of the internet was sitting behind a Cloudflare CDN until this incident,” Project Zewro member Tavis Ormandy said.
“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
Such data breaches appear to be increasingly common; CloudFlare was lucky that no damage has really been done from the leak. But Yahoo has felt the sting of a major breach in both reputation and monetary terms.
How well do you know network security? Try our quiz and find out!
Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…
Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…
UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…
Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…
Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage
Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…