Cloudflare bug leaks users’ sensitive website data

Cloudflare bug leaks users’ sensitive website data

cloudflare cyber security bug image

Personal data belonging to computer users visiting dating sites, banking services and retailers may have been exposed due to a bug in a system that protects services from cyber attacks.

An issue with Cloudflare, which filters sites’ traffic for malicious activity, was discovered to be including unencrypted private data – including passwords and private messages – in some web pages. Google Project Zero’s Tavis Ormandy notified the firm of the problem, which affected as many as 120,000 web pages per day at its peak between February 13 and 18.

“It turned out that in some unusual circumstances… our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies and other sensitive data,” wrote Cloudflare’s chief operating officer John Graham-Cumming in a blog post. “And some of that data had been cached by search engines.”

He said the firm acted quickly to turn off features using the affected technology, and staff around the world worked round the clock to “ensure this bug and its consequences are fully dealt with”.  Graham-Cumming added that Cloudflare has not discovered evidence of malicious use of the bug.  “We are grateful that it was found by one of the world’s top security research teams and reported to us,” he wrote, noting that at its peak the bug affected only 1 in 3.3 million HTTP requests.

Because the unencrypted data was included in web page output, some if it was cached by Google and other search engines during their usual crawling and indexing processes.  Cloudflare worked with these search engines to remove 770 cached unique URLs containing leaked memory data before it went public with the bug.

“Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it,” Graham-Cumming wrote in his explanation of the incident. “Our internal infosec team is now undertaking a project to fuzz older software looking for potential other security problems.”

Image © arcoss under licence from

Copyright Lyonsdown Limited 2021

Top Articles

Facebook's lawsuit against ban on EU-US data transfers dismissed

The High Court in Ireland has dismissed Facebook's lawsuit against the Irish DPC's decision to ban it from transferring the data of EU residents to the US.

DarkSide extracts $4.4m ransom from German chemical distribution company

The DarkSide ransomware group extracted a ransom payment of $4.4 million in Bitcoin from Brenntag, a German chemical distribution company.

HSE ransomware attack: All you need to know

Ireland's HSE suffered a Conti ransomware attack that forced it to shut down all IT systems, and cancel non-essential appointments.

Related Articles