Cloudflare bug may have compromised over 1000 sites

Bruce Johnson and Marketplace staff

User data from 3,400 websites has been leaked and cached by search engines as a result of a bug in Cloudflare, a content delivery network.

The leakage reportedly resulted from a bug in an HTML parser chain used by Cloudflare to optimize webpages as they pass through the servers at the service's end. Cloudflare disabled the features that were causing the problem, and began working to delete caches of data that could have potentially exposed personal information. An official list of websites effected hasn't been given yet. "At that point it was no longer possible for memory to be returned in an HTTP response", Cloudflare writes. "There was no need to carry out an active attack to obtain the data - my mum may have someone else's passwords stored in her browser cache just by visiting another CloudFlare fronted site".

The issue-which has been dubbed "Cloudbleed" in reference to the 2014 Heartbleed bug that allowed hackers to exploit a vulnerability to steal encrypted information-was first caught by Google security researcher Tavis Ormandy.

Ormandy says that the Project Zero team who analyzed the issue "observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users" in the samples of collected data.

Cloudflare acts as a reverse proxy for millions of websites, including those of major internet services and Fortune 500 companies, for which it provides security and content optimization services behind the scenes. The company says it has found no evidence that anyone used the bug to hack any websites, although hundreds of thousands of websites were open to being hacked for a time.


Popular middleman web service Cloudflare has been hit by a serious security flaw, admitting that it has been leaking information from clients TLS-protected traffic over the past months.

The good news is that means that the chance that any given piece of data you care about leaked is slightly less than your chances of dying of food poisoning and way less likely than you're being struck by lightning.

A user on GitHub has composed a list of all the sites that use Cloudflare's DNS servers. Security entrepreneur Ryan Lackey recommended the same, though noted it was unlikely the average web user's password was in danger of being stolen. That memory might have contained sensitive data, like passwords or private communications. He added that the issue only appeared as Cloudflare was moving from the old to the new software last week. Late last week, Travis Ormandy from Google's Project Zero discovered a rather large memory issue that was potentially leaking sensitive information from websites that use Cloudflare.

With assistance from Google, Bing, Yahoo, and others, Cloudflare found that data from at least 161 domains had been leaked and cached.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup.

Related News:

  • Swansea's Makelele relishing Chelsea reunion

    Swansea's Makelele relishing Chelsea reunion

    His eight goals for Swansea City have helped lift them to 15th in the table under the assured management of Paul Clement . The Swans face a Chelsea side that now sits eight points clear at the top of the Premier League table.
    Siouxland under blizzard warning; events cancelled, postponed

    Siouxland under blizzard warning; events cancelled, postponed

    Rain will turn to snow Thursday night, dropping 3-6 inches of snow by Friday morning, according to the NWS. A blizzard warning has been issued for much of Siouxland, with a foot or more of snow by Friday.
    Ex-Uber engineer alleges sexual harassment, CEO reacts by promising investigation

    Ex-Uber engineer alleges sexual harassment, CEO reacts by promising investigation

    Fowler said the HR representative told her she would either have to leave the team she was now working with or continue to work for the man who harassed her.
  • John Lewis set to cut hundreds of jobs

    John Lewis set to cut hundreds of jobs

    The retailer says more skilled roles will be created as "a period of change, investment and innovation for the business". Some of the staff who enter the consultation could be re-deployed to the new positions.
    Norwegian Air: $65 To Europe

    Norwegian Air: $65 To Europe

    Our new, non-stop service will enable tens of thousands of new travelers to fly between the continents much more affordably. Norwegian will also operate one route from Bradley, New England's second largest airport, to Edinburgh.
    European Union  against 'hard border' between Northern Ireland, Republic, says Juncker

    European Union against 'hard border' between Northern Ireland, Republic, says Juncker

    The British government wants to leave the EU's customs union, which could the Irish economy and the important cross border trade. Kenny is expected to stand down as Taoiseach after this year's St.
  • Today breaks warm weather record set in 1906

    Today breaks warm weather record set in 1906

    That figure slipped to just 0.02 percent as of Thursday's data by the Great Lakes Environmental Research Laboratory . Earlier in the day, Boston had also reached its peak February temperature, hitting 71 degrees .

    Mario Yamasaki Admits he Stopped UFC Fight Night 105 Headliner Late

    So, forget that guy. 'Where's Ronda Rousey's fine ass at?' " I just knew I had a bigger heart than him ", Lewis said. But, for sure, I should have stopped it a little earlier. " I appreciate it ", Lewis said about the stoppage.
    LA, Paris left in race for 2024 Summer Olympics after Budapest withdraws

    LA, Paris left in race for 2024 Summer Olympics after Budapest withdraws

    So far, bid leaders from L.A. and Paris have said they remain focused only on 2024. The IOC will select the host city at a vote in Lima, Peru in September 2017.
  • Nancy Kerrigan to Go Dancing with the Stars!

    Nancy Kerrigan to Go Dancing with the Stars!

    Incredibly, Kerrigan went on to skate very well in Lillehammer at the Olympics and earned a Silver Medal in the process. The full list of stars competing for the DWTS mirrorball trophy will be revealed on Good Morning America on March 1.
    Burger King Just Bought Popeyes For A 'Whopping' $1.8 Billion

    Burger King Just Bought Popeyes For A 'Whopping' $1.8 Billion

    I am proud of the superior results the Popeyes team has delivered in recent years; they have served all stakeholders well. Since then, the company has been striking deals with local operators to open additional locations around the world.
    Trump picks Lt. Gen. HR McMaster to be national security adviser

    Trump picks Lt. Gen. HR McMaster to be national security adviser

    McMaster, a career Army officer and strategist, is known as one of the military's most prominent intellectuals. Lt Gen McMaster, whose appointment does not require Senate confirmation, said his new role was "a privilege".


Most liked

Sunday and Public Holiday Penalty Rates Cut
Hospitality and retail employees will also see their public holiday rates cut from 250 per cent to 225 per cent. However, casuals workers will still get 175%.

RBS reports ninth consecutive loss at £7bn
There has certainly been a Groundhog Day feeling to the Royal Bank of Scotland's full year results for the last nine years. The bank has seen £50bn of losses since the £45.5bn taxpayer bailout during the financial crises.

Anti-migrant protests in South Africa turn violent
Instances of xenophobia against foreign African nationals have been occurring in the country since before democratization in 1994. South Africa is known for spontaneous xenophobic attacks as locals blame foreigners for taking their jobs and general insecurity.

Opioid overdose deaths just jumped again
Four states - West Virginia, New Hampshire, Kentucky and OH - lead the nation with the highest overdose death rates, the CDC said. With opioid use increasing, Slovis said emergency services has had a hard time responding to all the overdose calls.

Cowboys will play Cardinals in Hall of Fame Game
They will be allowed to start practicing on July 20 for training camp, while the rest of the league will start July 27 - July 30. The Cowboys and Cardinals will face each other in the Hall of Fame Game on Thursday, Aug. 3 in Tom Benson Hall of Fame Stadium .

McLaren 720S to blitz Ferrari 488 to 200km/h
McLaren says the "exceptional braking capabilities" of its new vehicle required a lot of rigorous development to accomplish. The segment includes track footage, drifting and commentary from McLaren chief test driver Chris Goodwin.

Microsoft announces Skype Lite, an app created to run under slow connections
The app was tested with consumers in India, and built by the Hyderabad development centre of Microsoft. Because of its integration with Microsoft Office, we anticipate more usage among professional users.

Today Only: Take $8.63 Off Amazon Purchases of $50 or More
The poll considered criteria such as emotional appeal, workplace environment, vision/leadership and social responsibility. Customers can receive the discount if they enter the code BIGTHANKS on the website, Business Insider reports.

Supreme Court Hears Case on Fatal Border Shooting
Earlier this week, the mayor of Douglas, Arizona - a town that sits on the Mexican border - called the wall a waste of money. Chief Justice John Roberts led the tough questioning of Hernadez's lawyer, who seemed out of his depth in the High Court.

Ignore that app, 10000 steps may actually be harmful
Dr Hager went on to add that he thinks these apps could be potentially damaging, doing more harm than good . Hager, and now there are a lot of dedicated devices, like the fitness bracelets that don't help us at all.

Nintendo Switch Loses a Launch Title: The Binding of Isaac Delayed
Nicalis stated that players should expect one or two updated before the Booster Packs are added to the game. Their reasoning for the late announcement was, unfortunately, "due to issues way beyond our control".

UPS Tests Drones for Delivery of Packages
All from inside the truck, the UPS driver could load the drone through the roof and launch it using a control tablet or remote. In this test, the drone made one delivery while the driver continued down the road about 2,000 feet where the drone returned.

France's Le Pen refuses headscarf to meet Lebanon's mufti
Le Pen will also meet with Foreign Minister Gebran Bassil, Maronite Patriarch Beshara Rai and others. He has never run for election, and is not supported by any party structure.

Parks Pit Report: Daytona Speedweeks, Part 1-The Clash and Qualifying
WALTRIP FINALE: Michael Waltrip failed to advance to the second qualifying round in his 30th and final Daytona 500 start. His dad wanted to make sure he was really interested and told him to earn the money and buy a vehicle .

Kim Jong Nam murder | Pyongyang envoy blasts Malaysians, calls for joint probe
The entire investigation has been "politicized by Malaysia in collusion" with North Korea's bitter enemy, South Korea, he said. The 45-year-old estranged brother was allegedly assassinated last week at Kuala Lumpur International airport in Malaysia.