Cloudflare bug leaks private data online
Internet users are being urged to change all their passwords in the wake of a Cloudflare bug that could have leaked passwords, messages and more from website visits. A Cloudflare service used by millions of websites to enhance security and performance said that it had fixed the flaw quickly after being alerted a week ago by Google researcher Tavis Ormandy.
"It turned out that in some unusual circumstances, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data," Cloudflare chief technology officer John Graham-Cumming said in a blog post. "And some of that data had been cached by search engines."
Essentially, sensitive data intended to be temporarily stored overflowed "buffering" memory space and was then tucked into more exposed spots such as web pages that could then be captured by online search engines, according to descriptions of the bug.
"We fetched a few live samples and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users," Ormandy said in an online post.