Google Project Zero researcher Tavis Ormandy recently reached out to content delivery network and Internet security services provider Cloudflare regarding a serious security issue he stumbled across in which corrupted web pages were being returned by some HTTP requests run through Cloudflare.
As explained by Cloudflare’s John Graham-Cumming, a minor coding error was causing their edge servers to run past the end of a buffer and return memory that contained private data including encryption keys, passwords, cookies, chunks of POST data and more.
As The Register explains, in layman’s terms, one can think of it as sitting down at a restaurant at a supposedly clean table. In addition to being handed a menu, you also receive the contents of the previous diner’s wallet or purse.
Ormandy notes that once they understood what they were seeing and realized the implications, they immediately reached out to Cloudflare’s security team which wasted little time in getting to work. Graham-Cumming said that because they’re a service, bugs can go from being reported to fixed in minutes to hours instead of months. In this instance, they were able to mitigate the issue in just 47 minutes and wrap up a global fix in under seven hours.
On Twitter, Ormandy said that the issue has been going on for months with affected clients including 1Password (passwords are not compromised in their case however), Uber, FitBit and OKCupid, among others.
Graham-Cumming said they have not found any evidence of malicious exploits or other reports of its existence. Nevertheless, it’s probably a good idea to go through and change all of your online passwords. Again.
A list of notable sites and services potentially affected by "Cloudbleed" follows below:
- curse.com (and other Curse sites like minecraftforum.net)
Lead photo courtesy Getty Images