Cloudflare has become the epicenter of a massive data leak brought about by a bug in its software. The web service hosts millions of websites across the world, leading many to be worried about the potential ramifications of the incident.
The issue, popularly being referred to as Cloudbleed, was first brought to light by Google Project Zero security researcher Tavis Ormandy. According to Cloudflare, he contacted the company on 17 February to bring its attention to a security problem with its edge servers that was giving way to corrupted web pages being returned by HTTP requests.
Cloudflare says it investigated the matter and concluded that its servers were returning memory which contained private information like authentication tokens, encryption keys, passwords, and HTTP cookies. Search engines appear to have cached this sensitive data, potentially exposing millions of people.
Ormandy took to his Twitter account on February 24 to tell the public that Cloudflare had been leaking customer HTTPS sessions for months, leaving sites like FitBit, Uber, OkCupid, and 1Password vulnerable. Cloudflare admitted that the concern might have been active since September 22 and reached its zenith from February 13 to February 18.
Worryingly, Cloudflare also stated that 120000 websites were leaking out data on a daily basis at Cloudbleed’s height. It claims the bug has now been squashed. The firm is also trying to reassure the public by asserting that it did not find any instances of the leaked data or security hole being taken advantage of by hackers.
Search engines like Google are now working on scrubbing the private cached data. The process hasn’t been finished yet, which is why it would be advisable to change passwords till the mess is completely cleared up.