Cloudflare, a web performance and security company, revealed some grave news today- a serious bug in its software caused a number of its sensitive data passwords, cookies and other authentication tokens to be released onto the web, having dire effects for the over 5 million websites it currently services. The leak is said to have occurred as early as last September, approximately five months before a security researcher at Google’s Project Zero reported it.
It’s worth noting that an even more severe leak took place between February 13th and 18th. In this instance around 1 in every 3,300,000 HTTP requests to Cloudflare sites would have caused data to be exposed.
Cloudflare was quick to point out that data is leaked in about 0.00003% of requests, which considering the amount of sites they are in charge of is a small amount. True, but Cloudflare’s extensive consumer base includes services like dating websites and password managers, containing highly sensitive information.
The bug was said to occur in an HTML parser that Cloudflare uses to increase website performance, it preps sites for distribution in Google’s publishing platform AMP and upgrades HTTP links to HTTPS.
Cloudflare themselves were also affected by the bug. According to a statement from Graham-Cumming, “One obvious piece of information that had leaked was a private key used to secure connections between Cloudflare machines,” this key allowed the company’s personal systems to talk to one another. So far there has been no evidence of hackers using the bug for nefarious purposes, however it’s still early stages at the moment.
Their San Francisco and London teams have worked tirelessly to correct the problem as soon as it was reported.