View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 24, 2017

Sensitive data leaked from customers’ websites following Cloudflare bug

The bug was found by a Google researcher and fixed by Cloudflare due to the risk of customer data.

By Hannah Williams

Content delivery network and security provider, Cloudflare has revealed a bug in its software which caused sensitive data to leak.

Data such as passwords, cookies and authentication tokens were spilled in plain text from its customers’ websites.

This took place between the 13-18th February, where the most serious leakage was found due to around one in every 3,300,000 HTTP requests leading to data leakage.

John Graham-Cumming, Chief technology officer, Cloudflare told Techcrunch: “At the peak, we were doing 120,000 leakages of a piece of information, for one request, per day.”

Cloudflare, which delivers enhanced security and performance for over five million websites, developed this bug during a recent period when it migrated from older to newer software. The bug in its software was spotted by Google’s Project Zero researcher Tavis Ormandy.

Read more: Leap second causes ‘panic’ for Cloudflare servers

According to a blog post from Cloudflare, Ormandy contacted the company after noticing the security problems with its edge servers. Corrupted web pages were noticeably returned following HTTP requests run through Cloudflare.

Ormandy said in a blog post: “We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

“Once we understood what we were seeing and the implications, we immediately stopped and contacted Cloudflare security.”

Cloudflare confirmed that as soon as the problem was found they took the necessary steps to turn off the three minor features that were using the same HTML parser chain resulting in the leakage. These were Email obfuscation, Server-side excludes and Automatic HTTPS Rewrites.

In a blog post, John Graham-Cumming said: “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines.

“We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

Cloudflare provides a timeline on its blog, where it confirms that the minor features were re-enabled worldwide.

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.