Content delivery network and security provider, Cloudflare has revealed a bug in its software which caused sensitive data to leak.
Data such as passwords, cookies and authentication tokens were spilled in plain text from its customers’ websites.
This took place between the 13-18th February, where the most serious leakage was found due to around one in every 3,300,000 HTTP requests leading to data leakage.
John Graham-Cumming, Chief technology officer, Cloudflare told Techcrunch: “At the peak, we were doing 120,000 leakages of a piece of information, for one request, per day.”
Cloudflare, which delivers enhanced security and performance for over five million websites, developed this bug during a recent period when it migrated from older to newer software. The bug in its software was spotted by Google’s Project Zero researcher Tavis Ormandy.
Read more: Leap second causes ‘panic’ for Cloudflare servers
According to a blog post from Cloudflare, Ormandy contacted the company after noticing the security problems with its edge servers. Corrupted web pages were noticeably returned following HTTP requests run through Cloudflare.
Ormandy said in a blog post: “We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users.
“Once we understood what we were seeing and the implications, we immediately stopped and contacted Cloudflare security.”
Cloudflare confirmed that as soon as the problem was found they took the necessary steps to turn off the three minor features that were using the same HTML parser chain resulting in the leakage. These were Email obfuscation, Server-side excludes and Automatic HTTPS Rewrites.
In a blog post, John Graham-Cumming said: “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines.
“We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”
Cloudflare provides a timeline on its blog, where it confirms that the minor features were re-enabled worldwide.