A
Cloudflare service used by millions of websites to enhance security and
performance said that it had fixed the flaw quickly after being alerted
a week ago by Google researcher Tavis Ormandy.
A Cloudflare service used by millions of websites to enhance security and performance said that it had fixed the flaw quickly after being alerted a week ago by Google researcher Tavis Ormandy.
“It turned out that in some unusual circumstances, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data,” Cloudflare chief technology officer John Graham-Cumming said in a blog post.
“And some of that data had been cached by search engines.”
“We fetched a few live samples and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major Cloudflare-hosted sites from other users,” Ormandy said in an online post about the flaw.
“This situation was unusual, (personally identifiable information) was actively being downloaded by crawlers and users during normal usage, they just didn’t understand what they were seeing.”
Ormandy said in a Twitter message fired off from @taviso that Cloudflare has been leaking information for months, jeopardizing supposedly secure data at major websites including Uber, OKCupid, Fitbit and 1Password.
A cry for people to change all of their online passwords because of the bug buzzed at Twitter, where “#CloudBleed” hashtag was a trending topic.
No comments:
Post a Comment