Cloudflare bug may have compromised over 1000 sites

Bruce Johnson and Marketplace staff

User data from 3,400 websites has been leaked and cached by search engines as a result of a bug in Cloudflare, a content delivery network.

The leakage reportedly resulted from a bug in an HTML parser chain used by Cloudflare to optimize webpages as they pass through the servers at the service's end. Cloudflare disabled the features that were causing the problem, and began working to delete caches of data that could have potentially exposed personal information. An official list of websites effected hasn't been given yet. "At that point it was no longer possible for memory to be returned in an HTTP response", Cloudflare writes. "There was no need to carry out an active attack to obtain the data - my mum may have someone else's passwords stored in her browser cache just by visiting another CloudFlare fronted site".

The issue-which has been dubbed "Cloudbleed" in reference to the 2014 Heartbleed bug that allowed hackers to exploit a vulnerability to steal encrypted information-was first caught by Google security researcher Tavis Ormandy.

Ormandy says that the Project Zero team who analyzed the issue "observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users" in the samples of collected data.

Cloudflare acts as a reverse proxy for millions of websites, including those of major internet services and Fortune 500 companies, for which it provides security and content optimization services behind the scenes. The company says it has found no evidence that anyone used the bug to hack any websites, although hundreds of thousands of websites were open to being hacked for a time.


Popular middleman web service Cloudflare has been hit by a serious security flaw, admitting that it has been leaking information from clients TLS-protected traffic over the past months.

The good news is that means that the chance that any given piece of data you care about leaked is slightly less than your chances of dying of food poisoning and way less likely than you're being struck by lightning.

A user on GitHub has composed a list of all the sites that use Cloudflare's DNS servers. Security entrepreneur Ryan Lackey recommended the same, though noted it was unlikely the average web user's password was in danger of being stolen. That memory might have contained sensitive data, like passwords or private communications. He added that the issue only appeared as Cloudflare was moving from the old to the new software last week. Late last week, Travis Ormandy from Google's Project Zero discovered a rather large memory issue that was potentially leaking sensitive information from websites that use Cloudflare.

With assistance from Google, Bing, Yahoo, and others, Cloudflare found that data from at least 161 domains had been leaked and cached.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup.

Related News:

  • Swansea's Makelele relishing Chelsea reunion

    His eight goals for Swansea City have helped lift them to 15th in the table under the assured management of Paul Clement . The Swans face a Chelsea side that now sits eight points clear at the top of the Premier League table.

    Treasury's Mnuchin says wants 'very significant' tax reform passed by August

    In an interview Wednesday with CNBC , he said his department's approach is to "look at currency manipulation across". The benchmark 10-year Treasury yield was down over 2 basis points at 2.392 percent after hitting a two-week low.
    Donald Trump's Russia Ties to Be Probed by Democrats and Republicans

    Donald Trump's Russia Ties to Be Probed by Democrats and Republicans

    Ryan said you can not have the national security adviser misleading Vice President Mike Pence and others in the administration. White House press secretary Sean Spicer said that the "erosion of that trust" over the circumstances surrounding retired Gen.
  • Why Investors remained confident on Oasis Petroleum Inc. (OAS), Tronox Limited (TROX)?

    The company has a market cap of $3,229 million and the number of outstanding shares has been calculated to be 236,365,220 shares. The company reported ($0.17) earnings per share for the quarter, beating analysts' consensus estimates of ($0.19) by $0.02.

    Today breaks warm weather record set in 1906

    That figure slipped to just 0.02 percent as of Thursday's data by the Great Lakes Environmental Research Laboratory . Earlier in the day, Boston had also reached its peak February temperature, hitting 71 degrees .

    Norwegian Air: $65 To Europe

    Our new, non-stop service will enable tens of thousands of new travelers to fly between the continents much more affordably. Norwegian will also operate one route from Bradley, New England's second largest airport, to Edinburgh.
  • Trump picks Lt. Gen. HR McMaster to be national security adviser

    Trump picks Lt. Gen. HR McMaster to be national security adviser

    McMaster, a career Army officer and strategist, is known as one of the military's most prominent intellectuals. Lt Gen McMaster, whose appointment does not require Senate confirmation, said his new role was "a privilege".

    Top Dividend Stock Pick: The Dow Chemical Company (DOW)

    The company reported $0.99 earnings per share for the quarter, topping the Thomson Reuters' consensus estimate of $0.88 by $0.11. The current share price indicate that stock is -1.02% away from its one year high and is moving 36.20% ahead of its 52-week low.
    Parks Pit Report: Daytona Speedweeks, Part 1-The Clash and Qualifying

    Parks Pit Report: Daytona Speedweeks, Part 1-The Clash and Qualifying

    WALTRIP FINALE: Michael Waltrip failed to advance to the second qualifying round in his 30th and final Daytona 500 start. His dad wanted to make sure he was really interested and told him to earn the money and buy a vehicle .
  • Ignore that app, 10000 steps may actually be harmful

    Dr Hager went on to add that he thinks these apps could be potentially damaging, doing more harm than good . Hager, and now there are a lot of dedicated devices, like the fitness bracelets that don't help us at all.
    Nintendo Switch Loses a Launch Title: The Binding of Isaac Delayed

    Nintendo Switch Loses a Launch Title: The Binding of Isaac Delayed

    Nicalis stated that players should expect one or two updated before the Booster Packs are added to the game. Their reasoning for the late announcement was, unfortunately, "due to issues way beyond our control".
    Police value Tom Brady stolen jersey at $500K

    Police value Tom Brady stolen jersey at $500K

    Josh Evans, the founder of auction website Lelands.com, says before the theft the jersey would have gone for about $250,000. A suspect has not been identified by instigators as the mysterious disappearance continues to prove baffling.


Most liked

RBS reports ninth consecutive loss at £7bn
There has certainly been a Groundhog Day feeling to the Royal Bank of Scotland's full year results for the last nine years. The bank has seen £50bn of losses since the £45.5bn taxpayer bailout during the financial crises.

Hewlett Packard Enterprise falls after revenue miss, slashed earnings forecast
Stock has got outperform rating from 6 analysts of Thomson Reuters whereas 12 analysts given hold rating to the stock. Perhaps, that suggests something about why 0.10% of the outstanding share supply is held by institutional investors.

Anti-migrant protests in South Africa turn violent
Instances of xenophobia against foreign African nationals have been occurring in the country since before democratization in 1994. South Africa is known for spontaneous xenophobic attacks as locals blame foreigners for taking their jobs and general insecurity.

Opioid overdose deaths just jumped again
Four states - West Virginia, New Hampshire, Kentucky and OH - lead the nation with the highest overdose death rates, the CDC said. With opioid use increasing, Slovis said emergency services has had a hard time responding to all the overdose calls.

CBB Predictions: Louisville Cardinals vs. North Carolina Tar Heels 2/22/17
The Cardinals are just 1-3 against the spread in their last four games to drop to 16-8-1 against the spread on the season. Things didn't start out well for the Tar Heels (24-6, 12-3 ACC), especially on the offensive end of the floor.

Does Angelina Jolie Really Eat Spiders and Scorpions?
Along with these mega movies, Jolie is also mulling starring in The Bride of Frankenstein reboot and Sony's Shoot Like a Girl . In fact, the actress will be taking on different projects in the subsequent years amidst a very hard divorce from Brad Pitt .

McLaren 720S to blitz Ferrari 488 to 200km/h
McLaren says the "exceptional braking capabilities" of its new vehicle required a lot of rigorous development to accomplish. The segment includes track footage, drifting and commentary from McLaren chief test driver Chris Goodwin.

Microsoft announces Skype Lite, an app created to run under slow connections
The app was tested with consumers in India, and built by the Hyderabad development centre of Microsoft. Because of its integration with Microsoft Office, we anticipate more usage among professional users.

Unilever to conduct review of strategic options
Out of 0 brokerage recommendations, 0 gave a Strong Buy, 0 issued a Buy, 0 issued Hold, 0 rated Under-perform and 0 issued a Sell. Comerica Bank's holdings in The Kraft Heinz Company were worth $23,351,000 as of its most recent filing with the SEC.

Supreme Court Hears Case on Fatal Border Shooting
Earlier this week, the mayor of Douglas, Arizona - a town that sits on the Mexican border - called the wall a waste of money. Chief Justice John Roberts led the tough questioning of Hernadez's lawyer, who seemed out of his depth in the High Court.

S.Africa win toss, bowl in 2nd N.Zealand ODI
After adding 40 runs with skipper Kane Williamson (69), Brownlie was trapped LBW by Dwaine Pretorius (2-40) in the 13th over.

Showdown looms for protesters near site of Dakota Access pipeline
He refused to comment on any law enforcement operations that might target the protesters who refuse to leave. Today is the deadline for the few hundred remaining protesters at Oceti Sakowin camp in North Dakota.

LA, Paris left in race for 2024 Summer Olympics after Budapest withdraws
So far, bid leaders from L.A. and Paris have said they remain focused only on 2024. The IOC will select the host city at a vote in Lima, Peru in September 2017.

UPS Tests Drones for Delivery of Packages
All from inside the truck, the UPS driver could load the drone through the roof and launch it using a control tablet or remote. In this test, the drone made one delivery while the driver continued down the road about 2,000 feet where the drone returned.

Kim Jong Nam murder | Pyongyang envoy blasts Malaysians, calls for joint probe
The entire investigation has been "politicized by Malaysia in collusion" with North Korea's bitter enemy, South Korea, he said. The 45-year-old estranged brother was allegedly assassinated last week at Kuala Lumpur International airport in Malaysia.