Google researcher Tavis Ormandy uncovered a bug in the popular web company CloudFlare that could have possibly leaked passwords, private messages and other sensitive data from website visits. Users are being urged to change their passwords as a precaution.
CloudFlare revealed yesterday that a bug in its code exposed sensitive data from major websites that use its performance enhancement and security services. Personal data like passwords and cookies from its millions of clients like OKCupid, FitBit, Uber, and 1Password, may have been leaking since five months before the flaw was discovered and reported by the famous bug hunter Tavis Ormandy.
The CloudFlare bug, already dubbed by some as the CloudBleed, is the most worrying web leak of the year so far. CloudFlare hosts and serves content for at least 2 million websites. The incident brought back the more infamous Heartbleed bug of 2015.
CloudFlare Chief technology officer John Graham-Cumming explained through a blog post that the bug was retrieving random chunks of memory from vulnerable servers when requests came in.
Data supposed to be stored temporarily overflowed buffering memory space and was left to be deposited into more susceptible, unguarded, unprotected spots such as web pages.
Ormany alerted CloudFlare on the problem on February 17th. He performed his own tests through a process called “fuzzing” and was able to make the servers return “encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users,” he described the issue in an online post, as reported by FORBES magazine.
“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” said Ormandy in a second post that pointed out the severity of the problem.
The problem was intensified because online search engines could capture the unprotected data. Another concern was that the web company often hosts content from different sites on the same server, meaning that a request to one vulnerable website could reveal information about another unrelated CloudFlare site. There wasn’t need to carry out an active attack to obtain data.
CloudFlare stated in a notification published on Thursday that they haven’t come across any evidence of malicious exploits. The company also mentioned that the greatest impact was during the period between February 13th and February 18th, in which only 0.00003% of its HTTP requests were potentially unsafe.
The company assured the flaw was fixed as soon as Google triggered the alert, confessing it would have been a lot worse if they hadn’t.
“I think we dodged a bullet,” said CEO Matthew Prince to FORBES.
CloudFlare guaranteed the secret information found from the websites has now been purged and they had conducted other searches for additional leaked data and didn’t’ find any.
A list of the CloudFlare domains affected by the problems was uploaded to GitHub, although it is not clear which or how many customers were in fact exposed.
Security specialists still recommend users from any one of those sites to change their passwords, even though the probability of the average web user’s password being put in danger might be minimal.