The content delivery network, Cloudflare has recently published a blog post describing a memory leak in their software. Which caused thousands of webpages hosted by Cloudflare leak encrypted personal data, however the company is confident that it has not been exploited by hackers yet.
Tavis Ormandy at Google Project Zero contacted Cloudflare to report a security problem, that had been sending chunks of unrelated data to users browsers when they visited a webpage hosted by Cloudflare.
The leak was fixed within hours of it being reported but there is an ongoing risk that some sensitive information could still be available through third party caches.
Cloudflare says that through search cache they have discovered data that had been exposed from approximately 150 of Cloudflare’s customers across their Free, Pro, Business, and Enterprise plans.
The problem occurred when the company decided to develop a new HTML parser for its edge servers. This code suffered from a buffer overflow vulnerability triggered by unbalanced HTML tags on pages.
The Leaked Data was quite Sensitive:
Google security researcher says that some of this data included private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings as well as cookies, passwords and software keys.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
Some security experts believe that the problem is more serious than Cloudflare has described and there will be a debate about how serious this is, if hackers manage to exploit this information.
Cloudflare hosts nearly six million websites, spreading them across the Internet to put them closer to customers while at the same time reducing their exposure to DDoS attacks that might knock them offline.