CloudFlare Server Bug Sees Sensitive Customer Data Exposed As Plain Text

CloudFlare Server Bug Sees Sensitive Customer Data Exposed As Plain Text

The problem stems from a security issue with the company's edge servers that caused corrupted Web pages to be returned by some HTTP requests run through its service, according to Cloudflare.

Rather than a malicious data breach caused by hackers, the leak was down to a flaw that enables sensitive information such as passwords, cookies, and authentication tokens to be visible as plain text on websites of CloudFlare's customers.

For months, a bug in Cloudflare's content optimization systems exposed sensitive information sent by users to websites that use the company's content delivery network.

The problem was initially spotted by Tavis Ormandy, working for Google's Project Zero security initiative, on February 18th, but the flaw may have been in effect as early as September 22nd past year. The Project Zero worker then used Twitter to get the attention of Cloudflare who also quickly acknowledged the issue and immediately disabled three features that was using the broken code.

CloudFlare explained that the greatest period of vulnerability was from February 13 and February 18, with around 1 in every 3,300,000 HTTP requests through CloudFlare's services resulting in a memory leak. This means that random users could have other users' passwords and private data.

The bug, discovered by Google security researcher Tavis Ormandy, allowed sensitive data from Cloudflare-powered websites to be cached by search engines, including Google.

"Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug", the company wrote in a blog post following Ormandy's public disclosure on Thursday. "I don't know if this issue was noticed and exploited, but I'm sure other crawlers have collected data and that users have saved or cached content and don't realize what they have, etc.", Ormandy wrote.

Читайте также: Yamasaki on Browne vs. Lewis finish: 'I should have stopped it earlier'

Ormandy shared that he spotted hotel bookings, passwords and even full messages from dating sites within the cached data.

"We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything, "says Ormandy".

Some of the most popular Bitcoin services on the internet may have leaked sensitive user information, including passwords.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. "In some cases, they'll contain snippets of private conversations happening on a service that is using Cloudflare". Because Cloudflare serves billions of pages each day, the number of leaky pages added up to about 120,000 a day, the company said. The company says it has found no evidence that anyone used the bug to hack any websites, although hundreds of thousands of websites were open to being hacked for a time.

Making the issue even more severe was the fact that search engines were caching that leaked information. Change your most important passwords.

If you have or had accounts on Fitbit, Uber, OkCupid, Medium, or Yelp, you should probably change your passwords.

При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2017 Copyright.
Автоматизированное извлечение информации сайта запрещено.

Код для вставки в блог

Related Articles

  • Conte willing to risk sack to lead Chelsea to Premier League glory

    Conte willing to risk sack to lead Chelsea to Premier League glory

    It will be a really tough game. 5 points: Gylfi Sigurdsson scores a sumptuous consolation goal from outside the penalty area. The Swans face a Chelsea side that now sits eight points clear at the top of the Premier League table.

    Here's How You Can Watch the 89th Academy Awards

    Tatum O'Neal was catapulted into stardom when she won Best Supporting Actress for Paper Moon (1973) at just 10 years of age. If the economy made them desperate enough to turn to violent crime, maybe it made them desperate enough to vote Trump, too.
    French Military Using Eagles to Hunt Down Rogue Drones

    French Military Using Eagles to Hunt Down Rogue Drones

    Their upbringing, overseen by the military and falconers, had them eat atop drones they were able to incapacitate the devices. Like all birds of prey, the golden eagle has excellent eyesight, capable of spotting its target from two kilometres away.
  • This is the warmest February day ever recorded in Boston

    This is the warmest February day ever recorded in Boston

    This recent mild weather "is unusual, but it's been an abnormally warm winter here", he said. Nashua was several degrees higher, peaking at 73 degrees during the middle of the afternoon.
    Barclays' 2016 pre-tax profit almost  tripled to £3.2 billion

    Barclays' 2016 pre-tax profit almost tripled to £3.2 billion

    Barclays also announced it intends to close down its non-core division six months earlier than planned on 30th June 2017. Shares in the group rose by more than two per cent at the open.
    Daily Cheap Flights From Hudson Valley to Europe Cleared for Takeoff

    Daily Cheap Flights From Hudson Valley to Europe Cleared for Takeoff

    A return will cost around £200, taking into account Air Passenger Duty (APD), which is applied to flights leaving the UK. Sure, Norweigan doesn't charge for carry-ons but you're limited to only items that fit under the seat in front of you.
  • Ride-sharing app Lyft begins service across Mid-Ohio Valley

    Ride-sharing app Lyft begins service across Mid-Ohio Valley

    Lyft can not provide its services in Iowa until a required registration has been completed, said Andrea Henry, a DOT spokeswoman. Lyft already has drivers running in three cities around the state - Kansas City, Lawrence, and Wichita.
    UNC Basketball: Tar Heels shut down Cardinals in Chapel Hill

    UNC Basketball: Tar Heels shut down Cardinals in Chapel Hill

    The confrontation wasn't the worst part of the night for Pitino, however, as the Cardinals took a 74-63 loss to the Tar Heels. The Tar Heels would answer in the bottom of the fourth inning, tacking on two more runs to set the score at 7-1.
    The Average Life Expectancy Will Break the 90-Year Barrier by 2030

    The Average Life Expectancy Will Break the 90-Year Barrier by 2030

    The research also suggest that the life expectancy gap between men and women is closing. The study estimates American women will live an average of more than 83 years by 2030.
  • Fed Not Raising Rates, Continuing To 'Monitor' Market Conditions

    Fed Not Raising Rates, Continuing To 'Monitor' Market Conditions

    On the one hand, Trump wants rates higher because savers have been punished by the Fed's extremely low interest rates. The Fed had waited a full year to raise rates for a second time after its initial rate hike in December 2015.
    Syria: UN envoy cautions against

    Syria: UN envoy cautions against "spoilers" on eve of negotiations

    To date, the near six-year war in Syria has claimed some 300,000 lives and displaced millions. At those talks, de Mistura had to meet separately with the opposing delegations.
    Top US officials to go to Mexico for talks

    Top US officials to go to Mexico for talks

    The new guidelines also allow Border Patrol and Immigration and Customs Enforcement to deport people immediately. They make it easier for USA officials to deport huge numbers of immigrants simply for having entered illegally.