Content delivery network Cloudflare has confirmed the existence of a bug that caused search engines to cache sensitive user data from a variety of well-known apps and websites. Google researcher Tavis Ormandy discovered and reported the bug to Cloudflare, and the company has since fixed the bug and published a detailed blog post about exactly what happened.

According to Cloudflare, the period of greatest impact for the "parser bug" ran from February 13 to February 18, although the extent of the leak stretches back months. The heart of the issue was a security problem with Cloudflare edge servers, which were returning corrupted web pages by some HTTP requests running on Cloudflare's large network.

cloudflare logo
In what the company referred to as "some unusual circumstances," occasionally private information was returned as well, including "HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data."

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

As shared in a tweet by Ormandy this week, that data also included private dating site messages from OKCupid, full messages from a "well-known chat service," passwords from password managing apps like 1Password, and more (via Fortune). In response, some companies -- like 1Password -- have published blog posts confirming that "no 1Password data is put at any risk through the bug reported about CloudFlare."

To expedite a solution, Cloudflare responded to Ormandy's discovery and turned off three minor features of the network -- email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites -- discovered to be using the same HTML parser chain "that was causing the leakage."

In its blog post, the company said that it has "not discovered any evidence of malicious exploits" in relation to the time that the parser bug was active. It also noted that, while serious, the scale of the bug was still relatively low: around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage. "That’s about 0.00003% of requests," the company noted.

Cloudflare worked with the affected search engines, including Google, Yahoo, and Bing, to erase any remnants of the sensitive data from their caches. The company's chief technology officer, John Graham-Cumming, concluded the blog saying, "We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it."

Earlier this week, it was reported that Apple cut ties with server supplier Super Micro Computer in order to avoid a potential future scenario where user data might be put at risk, similar to Cloudflare's leak. Early in 2016, Apple was said to have discovered a potential security vulnerability in one of Super Micro Computer's data center servers and effectively ended its business relationship with the network company shortly thereafter.

For a technical dive into Cloudflare's parser bug and its origins, check out the company's blog post.

Top Rated Comments

AndyK Avatar
95 months ago
If you use 1Password you were never at risk anyway ('https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/').
Score: 5 Votes (Like | Disagree)
Parasprite Avatar
95 months ago
If you use 1Password you were never at risk anyway ('https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/').
Note that this means your master password is safe if you happen to use a 1Password account. This doesn't mean that there is any less risk for other data (including logins and other sensitive data).
Score: 1 Votes (Like | Disagree)
campyguy Avatar
95 months ago
I get how 1Password can say 'not affected' but I don't get how some of the others can. I have domains and DNS at Namecheap, and read their page about their investigation. I don't understand how they can say not affected, though. Unless I'm misunderstanding what happened, how would they even know (or be able to investigate)? No one logged into their site during the affected time periods?

Anyway, yea, using a password manager is a very good idea, as you can have a good, strong UNIQUE password for every site (i.e.: if one gets compromised, it's only that site). But, changing them can still be a pain for things like Dropbox, email, etc. where the change impacts all your systems and devices.
Sorry for the delay, a client popped in with Scotch - here in the office we couldn't say no to either one… ;)

I'd been poring over my own resources about getting to the bottom of this as well, and cruising the web for a more-narrowed or focused explanation and found one on Wired with some quotes from Cloudflare's CEO that broke it down for me, the whole post is a good read and the CEO's comments begin about halfway down starting with the "What Happens Now" header:
https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

Keep in mind that the CEO cites a number of affected customers and not a number of affected web sites or portals… Cheers!
Score: 1 Votes (Like | Disagree)

Popular Stories

airpods pro 2 pink

Apple Releases New AirPods Pro 2 Firmware

Tuesday May 28, 2024 11:46 am PDT by
Apple today released new firmware update for both the Lightning and USB-C versions of the AirPods Pro 2. The new firmware is version 6F7, up from the 6B34 firmware released in November. Apple does not provide details on what features might be included in the refreshed firmware beyond "bug fixes and other improvements," so it is unclear what's new in the update. Apple does not give...
maxresdefault

Report: These 10 New AI Features Are Coming in iOS 18

Sunday May 26, 2024 12:57 pm PDT by
iOS 18 and macOS 15 will offer an array of new AI features such as auto-generated emojis, suggested replies to emails and messages, and more, Bloomberg's Mark Gurman reports. Subscribe to the MacRumors YouTube channel for more videos. A significant portion of Apple's Worldwide Developers Conference (WWDC) is expected to focus on AI features. Writing his latest "Power On" newsletter, Gurman...
wwdc 2024 main image feature

Apple Confirms Time for June 10 WWDC Keynote, Shares Full Schedule

Tuesday May 28, 2024 10:21 am PDT by
Apple today shared details on the schedule that it has prepared for the 2024 Worldwide Developers Conference, which is set to take place from June 10 to June 14. While WWDC always includes a keynote, Apple has confirmed that it will be held on June 10 at 10:00 a.m. Pacific Time. Apple is expected to announce iOS 18, iPadOS 18, macOS 15, tvOS 18, watchOS 11, and visionOS 2, and at this time,...
Apple iPhone 15 Pro lineup Action button 230912

Apple Green-Lights iPhone 16 Pro Display Production

Tuesday May 28, 2024 5:13 am PDT by
Samsung Display and LG Display have been granted approval for mass production of OLED screens for Apple's upcoming iPhone 16 Pro models, Korea's The Elec reports. Both suppliers apparently received approval earlier this month, paving the way for the commencement of mass production of screens for the iPhone 16 Pro models. While Samsung Display will supply OLED screens for all four iPhone 16...
iPad Pro Landscape Apple Logo Feature

Apple Says Future iPads Could Feature Landscape Apple Logo

Monday May 27, 2024 6:31 am PDT by
French website Numerama interviewed three senior Apple employees about the new iPad Pro models that launched earlier this month. While the discussion did not reveal many new details, it did mention one potential change for future iPads. While the Apple logo on the back of iPads is positioned so that it appears upright in vertical orientation, the devices are often used in landscape...