Sensitive personal data including cookies, API keys, and passwords has been leaked by web optimization giant Cloudflare. The company — which provides SSL encryption to millions of sites across the internet — announced the leak in a detailed post on its blog last night. The company said that it had not yet identified any malicious uses of the information, but noted that there was an additional problem because some of the data had been cached by search engines.
The problem was initially spotted by Tavis Ormandy, working for Google's Project Zero security initiative, on February 18th, but the flaw may have been in effect as early as September 22nd last year. Cloudflare says the biggest outpouring of information started on February 13th when a shift in code meant one in every 3,300,300 HTTP requests potentially resulted in memory leakage — a significant figure for a network the size of Cloudflare.
Could someone from cloudflare security urgently contact me.— Tavis Ormandy (@taviso) February 18, 2017
Ormandy says he found hotel bookings, passwords from password managers, and full messages from dating sites among the cached data. "I didn’t realize how much of the internet was sitting behind a Cloudflare CDN until this incident,” he wrote on February 19th. "We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything." After spotting Ormandy's Twitter message, Cloudflare engineers disabled three features that used the broken code that caused the issue, and moved to work with search engines who had cached the information to clear it.
The leak (unofficially titled "Cloudbleed" in reference to 2014's Heartbleed exploit) was the result of a "buffer overrun," Cloudflare said, a problem caused by a mistake in its code. Cloudflare said the bug had been present in its code for years, but had not been uncovered until it switched from the Ragel parser to a new parser called cf-html, a move which "subtly changed the buffering" and made the leak happen, "even though there were no problems in cf-html itself."
Explaining the delay in announcing the leak, Cloudflare says its "natural inclination was to get news of the bug out as quickly as possible," but that it felt it "had a duty of care to ensure that search engine caches were scrubbed before a public announcement." It also said it conducted a search of sites such as PasteBin for repositories of leaked information but found nothing.
Cloudflare's blog post claims that it took just over seven hours for it to stem all three sources of potential leaks, and Ormandy says he was "really impressed" with its quick response to the problem. Still, it might be a good idea to change your passwords, especially given how deeply embedded into the internet CloudFlare is.
Correction: Clarified that the bug in code was not directly generated by the Ragel parser.