{"id":200272,"date":"2017-02-24T17:45:22","date_gmt":"2017-02-24T15:45:22","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=200272"},"modified":"2017-02-24T17:47:10","modified_gmt":"2017-02-24T15:47:10","slug":"cloudbleed-massive-bug-leaks-private-data-from-cloudflare","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/200272-cloudbleed-massive-bug-leaks-private-data-from-cloudflare.html","title":{"rendered":"Cloudbleed – Massive bug leaks private data from Cloudflare"},"content":{"rendered":"

Cloudflare said\u00a0a serious bug in its end servers caused private data to leak in response to clients requesting pages from Cloudlfare-protected sites.<\/p>\n

The leaked information included\u00a0HTTP cookies, authentication tokens, and HTTP POST bodies.<\/p>\n

“Some of that data had been cached by search engines,” said Cloudflare.<\/p>\n

The bug was caused by a buffer overrun which returned\u00a0the contents of memory in Cloudflare’s servers which it wasn’t meant to.<\/p>\n

Google’s Project Zero reported the issue to Cloudflare, and the two organisations worked to clean search engine caches before disclosing the vulnerability.<\/p>\n

“With the help of Google, Yahoo, Bing, and others, we found 770 unique URIs that had been cached and which contained leaked memory,” said\u00a0Cloudflare<\/a><\/strong>.<\/p>\n

“Those 770 unique URIs covered 161 unique domains.”<\/p>\n

Cloudflare said the earliest memory could have leaked\u00a0was 22 September 2016. The period of greatest impact was 13-18 February.<\/p>\n

Around 0.00003% of HTTP requests through Cloudflare potentially resulted\u00a0in memory leakage during that time.<\/p>\n

The timeline of the vulnerability was as follows:<\/p>\n