Cloudflare revealed today that, for months, all of its protected websites were potentially leaking private information across the Internet. Specifically, Cloudflare’s reverse proxies were dumping uninitialized memory; that is to say, bleeding private data. The issue, termed Cloudbleed by some (but not its discoverer Tavis Ormandy of Google Project Zero), is the greatest privacy leak of 2017 and the year has just started.
For months, since 2016-09-22 by their own admission, CloudFlare has been leaking private information through Cloudbleed. Basically, random data from random sites (again, it’s worth mentioning that every site that used CloudFlare in the last half year should be considered to having fallen victim to this) would be randomly distributed across the open Internet, and then indefinitely cached along the way.
Cloudflare’s Cloudbleed bled private information for months
The troves of private information that are now out there thanks to Cloudbleed, and unlikely to ever be completely erased, boggle the mind. These troves could include everything from sensitive individual user account info such as social security number, date of birth, credit card information, and passwords to the more technical stuff such as keys, sessions, etc. That is to say, it isn’t wrong to assume that any of your private data that passed through the CloudFlare “protected” website has likely bled out over the last months due to Cloudbleed.
Tavis Ormandy emphasized:
The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I’ve informed cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
As of this writing, the private information that Cloudflare leaked is still out there. Despite Cloudflare taking the time to work with search engines such as Google, Microsoft’s Bing, and Yahoo, to delete these caches of private information, users on Hacker News are still reporting that sensitive information is still query-able via Google.
Consequence of @taviso's Cloudbleed discovery: essentially any traffic which passed through Cloudflare (even https) recently might be public
— Ryan Lackey (@octal) February 24, 2017