Web optimization company Cloudflare has confirmed that a major bug caused the leak of sensitive data including passwords, API keys, cookies, and more.
Cloudflare offers SSL encryptions to millions of websites and the leak is of great magnitude. On the bright side, the company says it hasn't found any sign of malicious use of the information yet. At the same time, another problem popped up as search engines had already cached some of the leaked information.
Google Project Zero researcher Tavis Ormandy was the first to spot the issue and drew attention to the matter on Feb. 18, but the vulnerability may have been in place since Sept. 22, 2016.
Could someone from cloudflare security urgently contact me.
— Tavis Ormandy (@taviso) February 18, 2017
One day later, Ormandy explained in a Chromium blog post that he found full messages from dating sites, passwords from password managers, and more data leaked.
"We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything," says Ormandy.
Cloudflare Confirms 'Cloudbleed' Leak And Explains Why
In a detailed blog post of its own on Thursday, Feb. 23, Cloudflare acknowledges the issue and says the biggest data leak started on Feb. 13, when a change in code caused one in every 3,300,300 HTTP requests to potentially end in memory leakage. For a massive network the size of Cloudflare, that figure is huge and translates to an extensive data leak.
Following Ormandy's message on Twitter, Cloudflare's team disabled three features that relied on the compromised code at the root of the problem and proceeded to work with search engines to clear the information they had cached.
Cloudflare explains that the leak, also referred to as "Cloudbleed" unofficially, stemmed from a "buffer overrun" - a problem that occurred because of a mistake in its code. According to the company, its code had this bug for years, but it went under the radar until it changed parsers and "subtly changed the buffering," thus causing the leak. Nevertheless, Cloudflare says it found no problems with the new parser itself.
Customer SSL Private Keys Not Leaked
The company reckons that in some "unusual circumstances," its edge servers went beyond the end of a buffer and brought back memory containing private information such as authentication tokens, HTTP cookies and POST bodies, as well as other sensitive data, which search engines had cached.
"For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug," highlights the company.
Cloudflare adds that it announced the leak with a delay because it first wanted to make sure the search engine caches were removed before making a public disclosure. At the same time, the company says it searched PasteBin and other such dump sites to check whether some of that leaked data surfaced online, but it found no such evidence.
At the end of the day, it seems that hackers did not exploit the leaked data. Cloudflare says it took it just seven hours to handle the three sources of potential leaks and Ormandy commended the company's impressively quick response.
Nevertheless, users might still want to update their passwords just to be on the safe side.