CloudFlare Server Bug Sees Sensitive Customer Data Exposed As Plain Text

Sensitive data has been leaked across the Internet by CloudFlare for months due to a memory leakage bug in the content delivery network’s edge servers.

Rather than a malicious data breach caused by hackers, the leak was down to a flaw that enables sensitive information such as passwords, cookies, and authentication tokens to be visible as plain text on websites of CloudFlare’s customers.

Normally this information is obscured from view or encrypted, but the bug would have allowed for visitors to see the sensitive data on the sites for which CloudFlare provides content delivery, security and performance services.

CloudFlare bug flares-up

Now patched, the flaw in the CloudFlare’s edge servers is reported to have been active since September 2016, and remained that way for five months until it was spotted by Google’s Project Zero cyber security team.

“Our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines,” explained John Graham-Cumming, CTO at CloudFlare.

Overall, Graham-Cumming said the memory leakage only affected 0.00003 percent of HTTP requests made to CloudFlare’s edge servers – around one in every 3,300,000 HTTP requests. However, given CloudFlare’s customers number around five million, that still means a good number of websites could have been affected by the bug.

Furthermore, the cached data made it challenging for CloudFlare to conduct clean up operations after the bug was patched, as it needed to ask browser providers, such as Google, Yahoo and Microsoft’s Bing to remove the sensitive data from their user’s browser caches.

That being said, Graham-Cumming noted that there has been no indication that the leaked data has been exploited by malicious actors or hackers, as CloudFlare would have detected unusual activity on its customer’s websites should that have been the case.

Yet this does not mitigate that the bug was a major security flaw, particularly as it not only exposed passwords and other security data but also exposed potentially embarrassing private messages made by users of the OKCupid online dating service as well as messages on what a Project Zero researcher describes as a well-known chat service.

“We keep finding more sensitive data that we need to cleanup. I didn’t realise how much of the internet was sitting behind a Cloudflare CDN until this incident,” Project Zewro member Tavis Ormandy said.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Such data breaches appear to be increasingly common; CloudFlare was lucky that no damage has really been done from the leak. But Yahoo has felt the sting of a major breach in both reputation and monetary terms.

How well do you know network security? Try our quiz and find out!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

2 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

2 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago