You never want to read about an internet security company that “accidentally leaked” sensitive data but that is apparently what happened. Cloudflare, Inc. is a U.S. company that provides a content delivery network, security as a service, Internet security services and distributed domain name server services, sitting between the visitor and the Cloudflare user’s and acts as a reverse proxy for websites.
A bit ironic when you consider their business…security as a service….right!
The firm reports that it has since fixed the issues at the heart of the problem. The leaked data included private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites and hotel bookings. This includes full https requests, client IP addresses, full responses, cookies, passwords, keys, data…pretty much everything.
Sites included Uber, 1Password, FitBit, and OKCupid, as having spilled data. Indeed, even sites seemingly protected by HTTPS, a security measure designed to keep hackers and spies from snooping on Internet traffic, were affected.
The memory leakage issue, known technically as a buffer overrun, began in September when CloudFlare swapped a new bit of code (an HTML parser) into its system. The program itself didn’t contain the major flaw, according to CloudFlare, but rather its introduction caused a separate and earlier coding error to, for lack of a better term, go kablooey.
A researcher drew a tongue-in-cheek comparison to Heartbleed — the computer bug discovered in 2014 that also caused sensitive data to leak from HTTPS sessions—by referring to the CloudFlare bug as “CloudBleed.”
It remains to be seen whether CloudFlare, or any of CloudFlare’s customers, will advise or force people to change their passwords and authentication credentials, though multiple security professionals have recommended taking that precaution.
So don’t wait…change your passwords now if any of your sites use CloudFlare services.