Sensitive private info getting leaked on the Internet is one of the many drawbacks of today’s connected world. That is why online companies dedicate a lot of resources to ensure that their user’s data is safe from leakage by hackers or by bugs.
CloudFlare is an Internet company and in a blogpost, they shared about a “memory leak caused by a bug” which was spotted by Travis Ormandy from Google’s Project Zero.
Could someone from cloudflare security urgently contact me.
— Tavis Ormandy (@taviso) February 18, 2017
Travis wrote on a post about CloudFlare’s leak on February 19th where he discovered an unsettling thing:
We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of PST data and even HTTPS requests for other major cloudflare- hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.
CloudFlare took that matter with utmost seriousness and decided to pen down a lengthy blogpost to explain what happened. According to the company, “the greatest period of impact was from February 13 and February 18 with around 1 in 3,300,000 HTTP requests through CloudFlare potentially resulting in memory leakage.”
CloudFlare found out that there were three features that were using the same HTML parser chain which caused the leakage. Thankfully CloudFlare revealed that they were able to fix the bug of this nature in under 7 hours which was under the industry standard of three hours.
Well, it might be time to change your passwords yet again since these leaks have become more common than ever. Yahoo had a massive breach that leaked data of a billion users and also Twitter had a case of user account details being sold on the dark web.