Personal data, passwords and API keys have accidentally been leaked for sites all over the web.
Cloudflare is a web optimization giant that provides SSL encryption for millions of sites across the web. In a blog post released by them last night, the company revealed that a flaw in their code resulted in a massive leak of cookies, API keys, passwords, and even dating site messages. Cloudflare hasn’t yet discovered if there was any malicious uses of the information, but did note that some search engines had cached the data, adding to the problem.
The issue was spotted by Travis Ormandy, working for Google’s Project Zero security initiative, on February 18th, but may have been in place as early as September of last year. The problem got worse on February 13, when a code shift meant that one in every 3,300,300 HTTP requests could have resulted in a memory leak. For a company as large as Cloudflare, this is significant indeed.
“I didn’t realize how much of the internet was sitting behind a Cloudflare CDN until this incident,” wrote Ormandy, “We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” During his investigation into the leak, Ormandy apparently found everything from dating site messages and hotel bookings, to passwords from password managers.
The leak, which is being unofficially called Cloudbleed, was the result of a bug in Cloudflare’s code leading to “buffer overrun”. The bug has been present in their code for years, but wasn’t discovered until a change in Cloudflare’s Ragel parser to a new parser called cf-html resulted in a subtle change in buffering, causing in the leak.
It took just over seven hours to scrub out the faulty code, and Ormandy stated he was impressed by the company’s quick reaction. The reason the announcement of the leak was delayed, according to Cloudflare, is because they felt they “had a duty of care to ensure that search engine caches were scrubbed before a public announcement.”
The danger may be over, but we still recommend you change your passwords, and if you haven’t yet, switch to a password manager like LastPass so all your passwords are strong, unique and easy to swap out. A list of all the websites affected by the bug can be found here. It should also be noted that many users experienced sudden and strange logouts from their Google accounts yesterday. Google has stated that they are investigating the issue, but that it isn’t related to any compromise of their security. It is unrelated to Cloudbleed.