Toggle Dark Mode
Content delivery network Cloudflare, which provides web performance and security services to millions of websites, announced a leak Thursday in a technically detailed incident report posted to its blog.
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” the company’s CTO John Graham-Cumming wrote in the blog post. “We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”
The breach– dubbed ‘Cloudbleed’– was the result of a software bug that randomly exposed HTTP cookies, authentication tokens, login information, and more. It has potentially affected thousands of popular websites and iOS apps including Uber, Yelp, Fitbit, and OKCupid, meaning that users of Cloudflare’s popular web clients may have had their personal information exposed and need to change their passwords.
Cloudflare was alerted to the bug last Friday by Tavis Ormandy, a Google Project Zero security researcher who noticed issues with the company’s edge servers. Further investigation revealed that the breach was extensive and could have begun as far back as last September, though Cloudflare notes that “greatest period of impact was from February 13 and February 18” with around 0.00003% of HTTP requests resulting in memory leakage.
The result is that Cloudflare has leaked an unknown quantity of data all over the internet which was then cached by search engines like Google and some of which could contain private information.
Even so, Ormandy took issue with Cloudflare’s post. In an update posted yesterday, he noted that the incident report “contains an excellent postmortem, but severely downplays the risk to customers”, ArsTechnica reports.
“This is a big deal for us,” Cloudflare Matthew Prince emphasized today in an interview with Gizmodo. “This is a really bad bug. This is something that our customers should be very cognizant of and should take very seriously.”
The silver lining is that Cloudflare was able to patch the bug within hours and has not seen any evidence that the bug was maliciously exploited.
“The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under seven hours with an initial mitigation in 47 minutes,” Cloudflare announced. Still, it’s advised that you change your account passwords, just to be safe.
Other Sites Affected By Cloudbleed Include:
Check for other domains that might be affected, here.