A Google researcher has uncovered a massive Web leak from a cloud services company that potentially exposes passwords and other sensitive data from consumers using major services like Uber, FitBit, Medium, Yelp, and OKCupid.
The biggest threat left cache data in Google's search engine query results that included private information. The names of several potentially affected Web sites have been published, although Cloudflare has not published an official list.
Tavis Ormandy, vulnerability researcher at Google, found the leak on February 17 while working on another project. He said his team fired a load of junk data at Cloudflare servers and in some cases he received responses that contained information about memory. The unexpected data caught the eye of his co-workers, too, and after trying to debug the code, it became clear that "we were looking at chunks of uninitialized memory interspersed with valid data," he wrote in a post.
He eventually determined that the problem was caused by a vulnerability in code from Cloudflare. "My working theory was that this was related to their 'ScrapeShield' feature, which parses and obfuscates html -- but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers," Ormandy said.
Cloudflare explains the root cause of the bug on its Web site and acknowledges on its Web site that the "bug was serious," but Cloudflare programmer John Graham-Cumming writes that the company has "not discovered any evidence of malicious exploits of the bug or other reports of its existence."
The greatest impact from the leak occurred between February 13 and February 18, 2017, with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in a memory leak.
Aside from personal information, Graham-Cumming wrote that there were concerns because "chunks of in-flight HTTP requests for Cloudflare customers were present in the dumped memory," which could contain passwords. Other data would include 'JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens)."