A Google investigator has uncovered what could be the worst net leak from CloudFlare of 2017 to date, exposing passwords, personal messages and different sensitive information from an enormous variety of websites, as well as major services like Uber, Fitbit and OKCupid.
CloudFlare Massive web leaks found by Google
It’s being dubbed CloudBleed by some, because the drawback was caused by a vulnerability in code from a vastly standard web company, CloudFlare, and wasn’t dissimilar to the notorious Heartbleed bug of 2015. It’s almost like Heartbleed in this CloudFlare, that hosts and serves content for a minimum of two million websites, was returning random chunks of memory from vulnerable servers once requests came in.
The bad news is that the CloudFlare-backed websites had been leaking data for months before Ormandy noticed the bug. CloudFlare says the earliest data leak dates back to September 2016. It’s so far unclear if blackhat hackers had already found the vulnerability and exploited it secretly before CloudFlare fixed its code. Cloudflare’s clients include huge companies like Uber, OKCupid, 1Password, and Fitbit. That means a holy fuck ton of sensitive data has potentially been compromised.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
Tavis Ormandy wrote:
I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
According to Google, the leak poses a serious threat as search engines were caching that leaked information. Another major concern was that CloudFlare generally hosts content from completely different sites on a similar server, therefore a call for participation to a vulnerable website may reveal info a few separate, unrelated CloudFlare website.
Cloudflare, Inc. is a U.S. company that provides a content delivery network, Internet security services, and distributed domain name server services.
Due to the massive web leaks, it’s therefore, advisable to change your password if you are online marketers and internet users. Source via Forbes