Software bug in Cloudflare saw many websites’ encrypted personal data compromised. As of now, it is reported that there’s no signs the weakness was exploited by hackers.
The internet company hosts six million websites. By spreading across the internet and putting it closer to customers, they reduce exposure for DDoS attacks. The data leak was traced back to a software bug in Cloudflare’s system, that was sending chunks of unrelated data to users’ browsers when they visited a webpage hosted by Cloudflare.
Cloudflare CTO John Graham-Cumming noted that the problem is fixed quickly and the data exposed have now been removed from search engine caches. According to Reuters the data included “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings as well as cookies, passwords and software keys”. The bug was discovered by Google security researcher Tavis Ormandy.
In an interview with Reuters, Graham-Cumming said “We’ve seen absolutely no evidence that this has been exploited. It’s very unlikely that someone has got this information.”
While the leak may have traced as far back as Sept. 22, the most affected period was believed to be Feb. 13 until the discovery on Feb. 18. At its worse, about 120,000 webpages were leaking information every day.
Ormandy also wrote on Twitter that data from Uber and 1Password had been leaking. Reuters reported that “Uber declined to comment, while AgileBits, the maker of 1Password, denied in a blog post on Thursday that any personal data had been compromised.”
While Cloudflare is working with Google to remove cached data, the process is not complete yet, so researchers can still find data “if they knew where to look.”
Some security researchers have said the problem is more serious than Cloudflare has described.
Graham-Cumming said it was difficult to say which of their customers were affected. “There will be a debate about how serious this is,” he said. “We do not know of anybody who has had a security problem as a result of this.”