Software engineers at Google have revealed that for the last several months, CDN provider Cloudflare has effectively leaked private data all over the Internet – distributing it into orderinary users’ caches. This happens as data is cached by the service to speed up web pages; a flaw in this process has caused this security hole.
This was only discovered as an intrepid developer found some strange, apparently corrupt data as he was debugging and decided to find out what it was. This has allegedly leaked text from private chats and payment information, as well as passwords used on these websites.
This turned out to be HTTPS session data which was cached by the service and redistributed to others who visited web pages when a certain configuration of tags appeared on the web page. Much of this highly sensitive data is now left littered around in many people’s local caches. Sites and services that use Cloudflare and may have been affected by the vulnerability include:
An engineer posted
The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I’ve informed cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
Another engineer expressed that he was baffled that Cloudflare had not chosen to contact them about the issue.
It has since been reported that this issue is now ‘solved’, in that Cloudflare will no longer leak the data – however much of this information still exists in caches on internet connected devices and may be subject to malicious use.
You can read more at the original source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139