A serious security loophole discovered a few days ago in Cloudflare has rattled the web and has hinted at a password leak of unprecedented magnitude for thousands of websites and web services that use Cloudflare.
Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network. Cloudflare operates as an online service, meaning that the bug only needed to be fixed on Cloudflare's own servers, which the company says it has done.
The leakage was most significant between February 13 - 18, just after Cloudflare rolled out a software update.
The researcher says he reached out to CloudFlare via Twitter and immediately canceled his weekend plans due to the bug's severity. "We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything", claimed Ormandy. To make matters worse, many of these pages were then copied automatically by search engines, making the private information viewable in cached versions of their page source code.
In a blog post, John Graham-Cumming said: "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines".
Cloudflare has a significant number of customers, so the list of affected websites (and apps) is quite substantial. "And some of that data had been cached by search engines". Cloudflare said in a blog post there is no evidence that hackers have exploited the data leakage.
United States dollars community reacts to secretary of education nomination
And in her first big policy move, she did. "She's the head of public schools now and she doesn't believe in public schools". Vice President Mike Pence, serving in his role as Senate president, cast the final vote in favor of DeVos' confirmation.
Tavis Ormandy, the Google engineer who noticed the bug claims that he was working on a project when he noticed unexpected data. As Cloudflare notes, that's just 0.00003% of requests.
The original flaw concerned old code that had a latent security problem which was identified only during migration to newer software.
The company blamed the security issue on three minor Cloudflare features that were using the same HTML parser chain that was causing the leakage: email obfuscation, server-side excludes, and automatic HTTPS rewrites.
Cloudflare said the earliest memory could have leaked was 22 September 2016. "Those 770 unique URIs covered 161 unique domains", he said.
If it's sound advice you're looking for, it's a great time to change any re-used password.
Google, and other search sites, had managed to cache - collect and hold - some of the leaked data through their normal internet-crawling processes.