Cloudflare bug leaks sensitive user data throughout the internet

Cloudflare is a content delivery network (CDN) that powers more than 5.5 million websites. Calling it popular is an understatement — and a serious bug has leaked session tokens, passwords, private messages, API keys and other sensitive data into the wild.

Cloudflare is a content delivery network (CDN) that powers more than 5.5 million websites. Calling it popular is an understatement — and a serious bug has leaked session tokens, passwords, private messages, API keys and other sensitive data into the wild.

Google security researcher Tavis Ormandy discovered the leak earlier in February, and he wrote, “I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.” But the bug may have been leaking information since September of last year. Not only that, but the sensitive data had been cached by Google and other search engines, which means that hackers had the ability to access this data for the past five months.

The leak itself is highly technical. Instead of mangling it, here’s an excerpt from Cloudflare’s official response:

It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used. Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself.



Once we knew that the bug was being caused by the activation of cf-html (but before we knew why) we disabled the three features that caused it to be used. Every feature Cloudflare ships has a corresponding feature flag, which we call a ‘global kill’. We activated the Email Obfuscation global kill 47 minutes after receiving details of the problem and the Automatic HTTPS Rewrites global kill 3h05m later. The Email Obfuscation feature had been changed on February 13 and was the primary cause of the leaked memory, thus disabling it quickly stopped almost all memory leaks.

Because Cloudflare underpins so many of the websites on the internet, you might be affected even if you don’t have a Cloudflare account yourself. Github has a list of sites possibly affected by the bug, notable sites include Authy, Patreon, Medium, 4chan, Yelp, OKCupid, and Uber.

If you have accounts on these websites, we suggest you change your passwords immediately (here’s what we’d recommend for stronger passwords). Some sites have an option to log out of all other sessions, which you should click on. And we’d also recommend you turn on 2FA (two-factor authentication) while you’re changing your passwords, for added security.

Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.

Share this article