Cloudflare Bug That Leaked Sensitive User Data From Various Websites and Apps Now Fixed

by

Content delivery network Cloudflare has confirmed the existence of a bug that caused search engines to cache sensitive user data from a variety of well-known apps and websites. Google researcher Tavis Ormandy discovered and reported the bug to Cloudflare, and the company has since fixed the bug and published a detailed blog post about exactly what happened.

According to Cloudflare, the period of greatest impact for the "parser bug" ran from February 13 to February 18, although the extent of the leak stretches back months. The heart of the issue was a security problem with Cloudflare edge servers, which were returning corrupted web pages by some HTTP requests running on Cloudflare's large network.

cloudflare logo
In what the company referred to as "some unusual circumstances," occasionally private information was returned as well, including "HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data."

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

As shared in a tweet by Ormandy this week, that data also included private dating site messages from OKCupid, full messages from a "well-known chat service," passwords from password managing apps like 1Password, and more (via Fortune). In response, some companies -- like 1Password -- have published blog posts confirming that "no 1Password data is put at any risk through the bug reported about CloudFlare."

To expedite a solution, Cloudflare responded to Ormandy's discovery and turned off three minor features of the network -- email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites -- discovered to be using the same HTML parser chain "that was causing the leakage."

In its blog post, the company said that it has "not discovered any evidence of malicious exploits" in relation to the time that the parser bug was active. It also noted that, while serious, the scale of the bug was still relatively low: around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage. "That’s about 0.00003% of requests," the company noted.

Cloudflare worked with the affected search engines, including Google, Yahoo, and Bing, to erase any remnants of the sensitive data from their caches. The company's chief technology officer, John Graham-Cumming, concluded the blog saying, "We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it."

Earlier this week, it was reported that Apple cut ties with server supplier Super Micro Computer in order to avoid a potential future scenario where user data might be put at risk, similar to Cloudflare's leak. Early in 2016, Apple was said to have discovered a potential security vulnerability in one of Super Micro Computer's data center servers and effectively ended its business relationship with the network company shortly thereafter.

For a technical dive into Cloudflare's parser bug and its origins, check out the company's blog post.

Top Rated Comments

AndyK Avatar
51 months ago
If you use 1Password you were never at risk anyway ('https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/').
Score: 5 Votes (Like | Disagree)
Parasprite Avatar
51 months ago

If you use 1Password you were never at risk anyway ('https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/').

Note that this means your master password is safe if you happen to use a 1Password account. This doesn't mean that there is any less risk for other data (including logins and other sensitive data).
Score: 1 Votes (Like | Disagree)
campyguy Avatar
51 months ago

I get how 1Password can say 'not affected' but I don't get how some of the others can. I have domains and DNS at Namecheap, and read their page about their investigation. I don't understand how they can say not affected, though. Unless I'm misunderstanding what happened, how would they even know (or be able to investigate)? No one logged into their site during the affected time periods?

Anyway, yea, using a password manager is a very good idea, as you can have a good, strong UNIQUE password for every site (i.e.: if one gets compromised, it's only that site). But, changing them can still be a pain for things like Dropbox, email, etc. where the change impacts all your systems and devices.

Sorry for the delay, a client popped in with Scotch - here in the office we couldn't say no to either one… ;)

I'd been poring over my own resources about getting to the bottom of this as well, and cruising the web for a more-narrowed or focused explanation and found one on Wired with some quotes from Cloudflare's CEO that broke it down for me, the whole post is a good read and the CEO's comments begin about halfway down starting with the "What Happens Now" header:
https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

Keep in mind that the CEO cites a number of affected customers and not a number of affected web sites or portals… Cheers!
Score: 1 Votes (Like | Disagree)

Top Stories

16inchmacbookpromain

Kuo: New MacBook Pro Models to Feature Flat-Edged Design, MagSafe, No Touch Bar and More Ports

Thursday January 14, 2021 9:32 pm PST by
Apple is working on two new MacBook Pro models that will feature significant design changes, well-respected Apple analyst Ming-Chi Kuo said today in a note to investors that was obtained by MacRumors. According to Kuo, Apple is developing two models in 14 and 16-inch size options. The new MacBook Pro machines will feature a flat-edged design, which Kuo describes as "similar to the iPhone 12" ...
iphone x camera close

iOS 14.4 Will Introduce Warning on iPhones With Non-Genuine Cameras

Thursday January 14, 2021 8:07 am PST by
In the second beta of iOS 14.4 seeded to developers and public testers this week, MacRumors contributor Steve Moser has discovered code indicating that Apple will be introducing a new warning on iPhones that have had their camera repaired or replaced with aftermarket components rather than genuine Apple components. "Unable to verify this iPhone has a genuine Apple camera," the message will...
prototype iphone 12 pro

Prototype iPhone 12 Pro Shown Off in Photos

Wednesday January 13, 2021 3:39 pm PST by
Developer Giulio Zompetti, who often shows off prototype versions of Apple devices, today highlighted a prototype version of the iPhone 12 Pro. The iPhone 12 Pro is running an operating system called SwitchBoard, a nonUI version of the iOS 14 update that Apple uses internally. We've seen SwitchBoard on prototype devices before, as Apple uses it to test new features. Zompetti's prototype...
find my app safari post

Safari Allows Users to Enable Hidden 'Items' Tab in 'Find My' App Ahead of AirTags Launch

Wednesday January 13, 2021 5:45 am PST by
As seen in screenshots obtained by MacRumors in 2019, Apple's long-rumored AirTags items trackers are expected to be managed through the Find My app on iPhone, iPad, and Mac. Now, any user can get an early look at this tab. MacRumors reader David Chu today alerted us that the hidden "Items" tab in the Find My app can be enabled on an iPhone or iPad by typing in the link findmy://items in...
pioneer carplay wc5700nex

The Best Apple-Related Accessories at CES 2021

Wednesday January 13, 2021 1:16 pm PST by
CES 2021 is taking place digitally this year, and it hasn't been as exciting as in past years because many vendors have opted out. That said, some companies are still showing off some interesting Apple-related accessories that are coming out this year and that will be of interest to Mac, iPad, and iPhone users. Subscribe to the MacRumors YouTube channel for more videos. Pioneer Wireless...
Hue module dimmer switch

Philips Hue Announces New Wall Switch Module, Dimmer Switch, and Outdoor Light Bar

Thursday January 14, 2021 3:11 am PST by
Philips Hue has announced a new wireless dimmer switch module that lets Hue bridge owners directly control the smart lighting from their standard wall switches. The new Philips Hue wall switch module is the ideal addition to any Philips Hue set up. Installed behind existing light switches, it allows users to turn their existing switch into a smart switch and ensures their smart lighting is...
macbook pro 16 inch thunderbolt

Bloomberg: Next-Generation MacBook Pro to Offer Improved Displays, Faster Charging Over MagSafe

Thursday January 14, 2021 11:36 pm PST by
Following today's report from analyst Ming-Chi Kuo outlining major changes for the next-generation MacBook Pro models coming in the third quarter of this year, Bloomberg's Mark Gurman has weighed in with his own report corroborating some of the details but seemingly differing a bit on others. First, Gurman shares more details on the return of MagSafe charging to the MacBook Pro, indicating...
cook cbs this morning

CBS This Morning: Apple to Make 'Big Announcement' Tomorrow Morning

Tuesday January 12, 2021 8:46 am PST by
CBS This Morning today shared a short clip of an upcoming interview with Apple CEO Tim Cook in which addressing last week's events at the U.S. Capitol, with Cook saying "it's key that people be held accountable for it." Following the clip, Gayle King of CBS noted that the interview with Cook was not specifically arranged to address the current controversy over Parler and other repercussions, ...
iOS 14

Apple Seeds Second Betas of iOS 14.4 and iPadOS 14.4 to Developers [Update: Public Beta Available]

Wednesday January 13, 2021 10:03 am PST by
Apple today seeded the second betas of upcoming iOS 14.4 and iPadOS 14.4 updates to developers for testing purposes, with the new betas coming a month after Apple released the first betas. iOS 14.4 and iPadOS 14.4 can be downloaded through the Apple Developer Center or over the air after the proper profile has been installed on an iPhone or iPad. Paired with the HomePod 14.4 beta that is...
caldigit thunderbolt 4 dock featured

CalDigit Introduces USB-C Dock With 10 Ports and Up to 94W Charging for Macs [Updated]

Wednesday January 13, 2021 9:16 am PST by
CalDigit today unveiled a new Thunderbolt 4 dock with a wide selection of connectivity options, including three USB-A ports, one USB-C port, two HDMI 2.0 ports, a Gigabit Ethernet port, an SD card slot, and a 3.5mm headphone jack. The dock also has a Thunderbolt 4 port that allows it to be connected to a Mac with a single cable, with up to 94W of pass-through charging for the latest MacBook...