Cloudflare bug ‘Cloudbleed’ leaks private data online

Agence France-Presse

This is AI generated summarization, which may have errors. For context, always refer to the full article.

Cloudflare bug ‘Cloudbleed’ leaks private data online
Essentially, sensitive data intended for temporarily storage overflowed 'buffering' memory space and was then tucked into more exposed spots such as web pages. These could then be indexed by search engines in some cases.

SAN FRANCISCO, USA – Internet users over the weekend were being urged to change all their passwords in the wake of a Cloudflare bug that could have leaked passwords, messages and more from website visits.

A Cloudflare service used by millions of websites to enhance security and performance said on Friday, February 24 (February 25, Manila time), that it had fixed the flaw quickly after being alerted a week ago by Google researcher Tavis Ormandy.

“It turned out that in some unusual circumstances, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data,” Cloudflare chief technology officer John Graham-Cumming said in a blog post.

“And some of that data had been cached by search engines.”

Essentially, sensitive data intended to be temporarily stored overflowed “buffering” memory space and was then tucked into more exposed spots such as web pages that could then be captured by online search engines, according to descriptions of the bug.

“We fetched a few live samples and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users,” Ormandy said in an online post about the flaw.

“This situation was unusual, (personally identifiable information) was actively being downloaded by crawlers and users during normal usage, they just didn’t understand what they were seeing.”

Ormandy said in a Twitter message fired off from @taviso that Cloudflare has been leaking information for months, jeopardizing supposedly secure data at major websites including Uber, OKCupid, Fitbit and 1Password.

A cry for people to change all of their online passwords because of the bug buzzed at Twitter, where “#CloudBleed” hashtag was a trending topic. – Rappler.com

Add a comment

Sort by

There are no comments yet. Add your comment to start the conversation.

Summarize this article with AI

How does this make you feel?

Loading
Download the Rappler App!