OKCupid, 1Password, Uber and more have leaked customer data all over the Internet for MONTHS because of Cloudflare CDN security flaw

Software engineers at Google have revealed that for the last several months, CDN provider Cloudflare has effectively leaked private data all over the Internet – distributing it into orderinary users’ caches. This happens as data is cached by the service to speed  up web pages; a flaw in this process has caused this security hole.

This was only discovered as an intrepid developer found some strange, apparently corrupt data as he was debugging and decided to find out what it was. This has allegedly leaked text from private chats and payment information, as well as passwords used on these websites.

This turned out to be HTTPS session data which was cached by the service and redistributed to others who visited web pages when a certain configuration of tags appeared on the web page. Much of this highly sensitive data is now left littered around in many people’s local caches. Sites and services that use Cloudflare and may have been affected by the vulnerability include:

  • OKCupid.com
  • 1Password.com
  • Uber
  • FitBit
  • Upwork.com
  • upwork.com
  • codepen.io
  • news.ycombinator.com
  • medium.com
  • fiverr.com
  • thepiratebay.org
  • getbootstrap.com
  • laravel.com
  • laracasts.com
  • digitalocean.com

An engineer posted

The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I’ve informed cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

Another engineer expressed that he was baffled that Cloudflare had not chosen to contact them about the issue.

It has since been reported that this issue is now ‘solved’, in that Cloudflare will no longer leak the data – however much of this information still exists in caches on internet connected devices and may be subject to malicious use.

You can read more at the original source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s