Cloudflare bug may have leaked data for many client sites (but not PCGamesN)


Update February 24, 2017: We said you probably don’t need to worry, but it turns out you really probably don’t need to worry.

Pertaining to a memory leakage bug discovered in the last day or two, Cloudflare have written to PCGamesN assuring us that your data is safe. Since they’re reaching out to their clients individually, the chances are that unless a website you use has posted a specific warning, you’re probably fine.

Cloudflare say they’ve reviewed the third party caches (e.g. the Google search cache) where their clients’ leaked user data would be stored.

“Your domain is not one of the domains where we have discovered exposed data in any third party caches,” they tell us. “The bug has been patched so it is no longer leaking data.”

Cloudflare have promised to notify us directly if they find any leaked data, and assure us that “we have yet to find any instance of the bug being exploited”.

Original story February 24, 2017:A widely-used web security service has suffered from a memory leaking bug. There’s a very, very small chance that any sensitive information, including passwords, you’ve given to websites that use Cloudflare – and many do – may have been released to the Internet as a result.

The bug was brought to Cloudflare’s attention by a Google vulnerability researcher, who spotted that some requests run through their service were returning corrupted web pages.

Cloudflare is an internet proxy that aims to protect websites from malicious attacks, such as distributed denial-of-service (DDoS) attacks. Many sites use it, including PCGamesN, Reddit, Patreon and Discord.

A blog by Discord’s CTO includes a helpful list of sites that use Cloudflare, which you can check to see if you might’ve been affected. Discord say “likelihood that your information was leaked on any of these sites is very low” – the leakage occurred in 0.00003% of all requests since September 2016, with no way to target specific information.

Nevertheless, this has happened, so the security-conscious among you may want to change your passwords on the affected sites.

Cloudflare programmer John Graham-Cummingwrote a detailed post on their blog, which contains all the technical points. In summary, the leak occurred because in some circumstances Cloudflare’s edge servers – a type of server that sits at the edge between two networks, through which Cloudflare runs HTML pages – “were running past the end of a buffer and returning memory that contained private information”. This included “HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.”

Graham-Cumming assures that Cloudflare customer SSL private keys were not leaked, that the problem was quickly identified, and three minor Cloudflare features that used the parser chain that caused the leakage were all turned off.