Sensitive user data has been leaked from websites including OkCupid, Uber and Fitbit because of a serious bug in the software of web performance and security company Cloudflare.
Cloudflare is a content delivery network that helps optimise the security and performance of over 5.5m websites.
The bug, which has been dubbed “Cloudbleed”, was first noticed by Tavis Ormandy from Google’s Project Zero, who tweeted Cloudflare to inform the company about the leak, posting a message saying: “Could someone from cloudflare security urgently contact me.”
Could someone from cloudflare security urgently contact me.
— Tavis Ormandy (@taviso) February 18, 2017
On 17th February, Ormandy said he noticed that a number of personal details such as passwords, authentication tokens and even messages from major dating sites had been accidentally leaked online.
Ormandy said affected companies included Uber, 1Password, FitBit, OkCupid and many others, in a tweet posted last Thursday.
The Project Zero team member said in a post on Chromium: “I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.
“We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
It turns out that the leaked data was as a result of a glitch in Cloudflare’s software source code, caused by a broken HTML parser chain.
This fault meant that sensitive data was being cached by search engines.
The bug was revealed when Cloudflare migrated to new software between 13th – 18th February.
In a lengthy blog post, the software company said: “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines.
“We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
“We are grateful that it was found by one of the world’s top security research teams and reported to us.”
Ormandy responded to the blog post by saying: “It contains an excellent postmortem, but severely downplays the risk to customers.”
Cloudflare, or its customers, have not yet asked users to change their passwords, but some security researchers like Ryan Lackey are advising this course of action.
In a Medium post Lackey said: “The most effective mitigation is to change your passwords. While this is on all probability not necessary (it is unlikely your passwords were exposed in this incident), it will absolutely improve your security from both this potential compromise and many other, far more likely security issues.”
To find out more about the leak please click here.