Cloudflare Bug Leaks Passwords, API Keys and More

Cloudflare is a web optimization company and provides SSL encryption to millions of websites all around the internet. The company recently announced that a bug in its software that reared its head after an update has led to the leak of sensitive personal information by the company. The leak was first spied by Tavis Ormandy, who works or Google Project Zero security initiative on February 18.

The flaw may have been leaking data since September 22 of 2016. According to Cloudflare, the largest leak of data started on February 13 after it changed some code around. That code change led to a memory leakage issue where one in every 3,300,300 HTTP requests cause a memory overflow. That sounds like a small problem until you consider the size of the Cloudflare network.

Ormandy investigated the leaked data and found information on hotel bookings, passwords from password managers, and full messages from dating sites among the cached data. Ormandy wrote, “We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Cloudflare was alerted to the issue by a Tweet from Ormandy asking for one of the company’s security team to contact him. The leak was the result of a buffer overrun error and was cause by a mistake in the company’s code. Cloudflare says that mistake had been in its code for years, but wasn’t uncovered until it moved from the Ragel parser to a parser called cf-html.

That move affected buffering and led to the leak, the company notes there were no problems in cf-html itself. Cloudflare delayed announcing the leak because some of the leaked data had been cached by search engines. Cloudflare worked with search engines to have the cached data removed and then announced the leak.

The company has also searched sites like Pastebin looking for any repositories of leaked data. It took about seven hours of work to stop the data leaks from all three sources, but the problem is fixed says Cloudflare.