Cloudflare said a serious bug in its end servers caused private data to leak in response to clients requesting pages from Cloudlfare-protected sites.
The leaked information included HTTP cookies, authentication tokens, and HTTP POST bodies.
“Some of that data had been cached by search engines,” said Cloudflare.
The bug was caused by a buffer overrun which returned the contents of memory in Cloudflare’s servers which it wasn’t meant to.
Google’s Project Zero reported the issue to Cloudflare, and the two organisations worked to clean search engine caches before disclosing the vulnerability.
“With the help of Google, Yahoo, Bing, and others, we found 770 unique URIs that had been cached and which contained leaked memory,” said Cloudflare.
“Those 770 unique URIs covered 161 unique domains.”
Cloudflare said the earliest memory could have leaked was 22 September 2016. The period of greatest impact was 13-18 February.
Around 0.00003% of HTTP requests through Cloudflare potentially resulted in memory leakage during that time.
The timeline of the vulnerability was as follows:
- 2016-09-22: Automatic HTTP Rewrites enabled.
- 2017-01-30: Server-Side Excludes migrated to new parser.
- 2017-02-13: Email Obfuscation partially migrated to new parser.
- 2017-02-18: Google reports problem to Cloudflare and leak is stopped.
Google’s Tavis Ormandy posted several redacted examples of the leaked data online.
These included data from Uber, Fitbit, and OK Cupid.