Cloudflare memory leak dumps unknown quantity of sensitive, unencrypted data online

Web hosting provider Cloudflare has reported that a memory leak from their servers has leaked a great deal of sensitive information, including passwords and cookies, in plain text.

Cloudflare is host to literally millions of sites and sensitive data like passwords, cookies and authentication tokens are usually encrypted. Thus, even if a hacker manages to steal the data, it would be meaningless unless it was decrypted, which is not an easy thing to do.

Cloudflare, however, has reported a “parser bug” that allowed the sensitive data to be cached locally and worse, cached by search engines. This means that the data can actually be found online if you know what to look for.

TechCrunch explains that the error could have allowed anyone to collect personal information very easily. The leak was discovered to by a Google engineer as part of Google’s Project Zero, but may have been active since 22 September 2016, the report adds.

Cloudflare was also affected by the bug as one of its private keys was revealed. The company claims that only 0.000003 percent of traffic was affected, but given Cloudflare’s size, that’s still a lot of data.

The hosting provider has, by their own admission, been working over time to resolve the issue. Two global teams working in 12 hour shifts have ensured that efforts are under way 24 hours a day. The company has also pulled the services that were causing the bug.

Tavis Ormandy, the Google engineer who noticed the bug claims that he was working on a project when he noticed unexpected data. Further inspection revealed the bug on Cloudflare’s end. Ormandy says that he’s found very sensitive private data, including personal messages from dating sites and chat services, data from password managers, frames from adult video sites, hotel bookings, etc.

John Graham-Cumming of Cloudshare published full details of the issue in a blog post. In that blog post he outlines the scope of the issue, the root cause, the steps that have been taken, etc.

Kudos to Cloudflare for being so open about it, but the damage has been done. All that’s left to do now is determine the full extent of the leaks and patch things up as fast as possible.

READ  Apple will start manufacturing in the US, but those goods aren’t for us