Cloudflare Bug Leaks Encrypted Personal Data on Hosted Sites

Web performance and security company Cloudflare was alerted to a security problem with its edge servers last Friday by Tavis Ormandy from Google’s Project Zero. It turns out Cloudflare had a bug in its software that left webpages hosted by the company leaking encrypted personal data.

Due to the amount of website hosted by Cloudflare, it cannot be sure which sites were affected. However, it insists there is no evidence that this bug has been exploited by hackers.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” said John Graham-Cumming, Cloudflare CTO, in a blog post. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).”

Though a fix has been deployed for the bug and patches implemented, Graham-Cumming told Reuters that the process was not yet complete, and that some researchers were still finding data because of this.