Published in News

CloudFlare leaked personal details for months

by on24 February 2017

Problem fixed

CloudFlare, the popular content delivery network used by more than 5.5 million sites, accidentally leaked customers' sensitive information for months.

The outfit has fessed up to the leak saying that it has fixed the issues at the heart of the problem.

Apparently, the data leaked included "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings".

Google security advisor Tavis Ormandy who spotted and reported the issue last week, said: "We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

Ormandy named Uber, 1Password, FitBit, and OKCupid, as having spilled data. Indeed, even sites protected by HTTPS as being affected.

CloudFlare disabled several new features to its service including email obfuscation, server-side excludes, and automatic HTTPS rewrites which had caused the problem to surface.

It took a week, however, for the team to fully remedy the issue, CloudFlare said. Search engines such as Google, Yahoo and Bing had inadvertently stored the leaked data as part of their web crawlers' caches, and the CloudFlare team had to work with them to scrub these indexes.

It all started in September when CloudFlare swapped a new bit of code (an HTML parser) into its system. The software didn't contain the major flaw but rather its introduction caused a separate and earlier coding error to go tits up.

In a technical post-mortem of the incident, John Graham-Cumming, CloudFlare's chief tech officer, said that the engineers working on the new HTML parser had been so worried about bugs affecting the service that they had spent hours verifying that it did not contain security problems.

"Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it," he continued.

He added that his team has since begun testing CloudFlare's software for other potential problems.

Last modified on 24 February 2017
Rate this item
(0 votes)

Read more about: