Cloudflare exposes sensitive data from millions websites

samvel-gevorgyan.jpg
Samvel Gevorgyan
CEO, CYBER GATES
I cover cybercrime, privacy and security in digital form.

Cloudflare, a multibillion-dollar startup that runs a popular content delivery network used by more than 5.5 million sites, accidentally leaked customers' sensitive information for months.

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem (the flaw was dubbed Cloudbleed) with their edge servers, which were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, server-side excludes and automatic HTTPS rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.

— says in Cloudflare report

The Cloudbleed security issue in Cloudflare servers has a significant impact on numerous major organizations, including Uber, Fitbit, 1Password, and OKCupid. Cloudbleed also affects mobile apps, because, they are developed using the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.

Exposed sensitive data sample screenshot taken by Tavis Ormandy (Photo: chromium.org)

So, how can I find out which services I have accounts with are using Cloudflare?

Note: The following list includes some mobile apps that may have been affected.

Notable Sites

Alexa Top 10,000 affected sites

Alexa Top 1,000 affected Armenian sites

Summary

Check your password managers and change all your passwords, especially those on these affected sites. Renew API keys and confirm you have 2FA set up for important accounts. Due to the fact that all Cloudflare proxy customers were vulnerable to having data leaked, it's better to be safe than sorry.

References

Share this article

Comments ()

Recommended articles


Instant notifications

Subscribe to our Telegram channel to instantly receieve the latest cybersecurity news, resources and analysis.