Cloudflare got its skates on to fix a bug which could have exposed shedloads of user data.
For those not in the know, Cloudflare helps optimise the security and performance of more than 5.5 million websites so when it warned customers that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users.
The leak may have been active since September 22, nearly five months before it was discovered, although the most significant period of impact was from February 13 and February 18. Google cached some sensitive data, so can be found on a search. Hackers could access the data in real-time by making Web requests to affected websites and to obtain some of the leaked data later by crafting queries on search engines.
Cloudflare CTO John Graham-Cumming wrote in his bog that the bug was severe because the leaked memory could contain private information and because search engines had cached it.
“We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”
Apparently, there was a bug in an HTML parser chain Cloudflare uses to modify webpages as they pass through the service’s edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating e-mail addresses, and excluding parts of a page from malicious Web bots.
When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side excludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak pseudo random data.
Within an hour of the bug coming to Cloudflare’s attention early last Saturday morning, engineers had already disabled e-mail obfuscation, a measure that mostly plugged the memory leak. It took another six hours for Cloudflare to identify and fix the underlying bug in the HTML parser.