Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and..
Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and security services. Uber, Fitbit, OkCupid and 1Password are among Cloudflare’s millions of clients, and it’s possible that personal data such as passwords and cookies leaked from many client websites during the five months before the bug was discovered and reported by Tavis Ormandy, a Google researcher.
Unfortunately, it’s still not entirely clear how many Cloudflare customers were affected by the bug. The leaked data was cached by search engines in some cases, making the clean-up of the leak a difficult process. Although Google, Yahoo, Bing and other search engines worked to scrub the data before Cloudflare publicly disclosed the bug, researchers reported today that they were still finding samples of leaked data in search engine caches.
“You can still find random authentication cookies for sites affected by #CloudBleed with a simple Google search… and they work,” Hector Martin, a security researcher, tweeted . (The Cloudflare incident has earned the nickname CloudBleed after being compared to the HeartBleed vulnerability.) Martin discovered an authentication cookie for a financial website, Motherboard reported.