Cloudflare data leak potentially exposed trove of passwords, personal information for months
Time to change your passwords.
Cloudflare, an internet services provider that manages 10 percent of all web traffic, has been leaking assorted bits of customer information — passwords, cookies, personal information, messages and more — since a bug appeared in their code in September 2016, according to a company statement released late Thursday. The company maintains behind-the-scenes details, such as protection from cyber attacks and large scale backups, for websites and mobiles apps like Uber, OKCupid, FitBit, League of Legends, Glassdoor and the online tip jar Patreon (Here’s a list of Cloudflare clients).
The vulnerability came to light after security analysts at Google’s Project Zero spotted an overflow error that was leaking potentially sensitive information to search engines and other websites that scrape data from the internet. Overflow errors, as handily explained by this XKCD comic, occur when more information is requested of a web server than can be output. The wrong data within the server is then selected and spit back out for all eyes on the network to see.
Think about this leak this way: You and your neighbors (Cloudflare’s web clients) asked the post office (Cloudflare) to open, inspect and perhaps even alter your mail for security to make sure it arrives safe and in a timely fashion to its addressed destination. The post office does this diligently for a while, but all of a sudden one errant piece of mail arrives at the post office which causes a postal worker to behave erratically. The worker, stricken with confusion, begins reading and copying bits and pieces of other private mail messages that happen to be in the post office at that time and combines it with your mail. When your letter reaches its final destination, it includes your letter along with, and unbeknownst to them, some interesting tidbits from your neighbor’s mail as well.
The problem arises if data lands in an insecure location where someone — a rival company or hacker — can siphon and publicize it.
In an interview with NewsHour, Cloudflare CEO Matthew Prince felt confidant that the issue had been fixed before anyone noticed. The company claimed the bug had been corrected globally in under seven hours once Project Zero notified them.
“What other people don’t know outside of our organization is the data on how many requests actually triggered the bug, whereas we have that data.” Prince said. “If we had seen a significant spike in the requests to those pages, I would feel much less comfortable.”
Cloudflare worked with all of the major search engines like Google, Bing and Yahoo to clear the leaked data. But some cybersecurity experts are concerned about overseas search engines that may still have this data on their servers.
“This issue is possibly worse than the Heartbleed bug because this time the leaked data has been cached throughout the internet by various search engines including DuckDuckGo, Baidu, and Google throughout the lifetime of the bug.” Cybersecurity expert David Weinstein wrote for NowSecure. “Search engines constantly crawl the web and Cloudflare customer data leaks would be part of the data the engines cache.”
Prince declined to comment on which sites had been affected as a matter of company policy. Uber told 9to5Mac that no breach had occurred with their customer data, as did OKCupid and 1Password. The chat service Discord reported that they were affected by the data leak.
“Make no mistake, I agree with anyone who says that this was a very serious bug,” Prince said. “And I think it would be a fair characterization to say that we dodged a bullet in terms of the risk.”