Cloudflare, a serviced used by more than 5.5 million websites, may have leaked passwords and authentication tokens due to a bug in an HTML parser chain.
Cloudflare uses this parser chain to modify webpages as they pass through the service’s edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating e-mail addresses, and excluding parts of a page from malicious Web bots.
The leakage may have been active since September 22, 2016 nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18, 2017, according to Ars Technica.
Furthermore, Google and other search engines cached some of the highly sensitive data that was leaked. Cloudflare researchers have identified 770 unique URIs that contained leaked memory and were cached by Google, Bing, Yahoo, or other search engines. The 770 unique URIs covered 161 unique domains.
Therefore, for the entire time the bug was active, hackers had the ability to access the data in real-time by making Web requests to affected websites and to access some of the leaked data later by crafting queries on search engines.
Security engineers have already disabled e-mail obfuscation, and identified and fixed the underlying bug in the HTML parser.
Commenting on this, David Berman, CipherCloud said “Third-party data leak risk is a constant concern for consumer facing businesses and enterprises. And while most third-party providers support best practices like SSL for data-in-transit and data-at-rest encryption for storage, a huge gap exists for “data in use” including sensitive information like PII, IP addresses, keys, tokens and passwords. “