Popular website service Cloudflare leaked private data

Popular website service Cloudflare leaked private data
© Getty

Cloudflare, a firm providing services to more than 5 million websites, appears to have been leaking user data that should have been protected. 

According to a blog post by Chief Technology Officer John Graham-Cumming, in “unusual instances,” when certain servers answered web requests, unrelated data stored in memory was included. That additional data included sensitive information. 

The problem has already been fixed, says the blog post. 


The unusual circumstances appear to have occurred infrequently. Between Feb. 13 and 18, what the blog describes as the “greatest period of impact,” only one in every 3.3 million requests could have possibly triggered the error. However, some leaked private data appears to have been archived by search engines. 

Cloudflare provides a service to optimize the connection between users and websites. That can mean finding the closest web server to a user to speed up web response times or fending off malicious attacks attempting to clog sites' bandwidth. 

The security glitch was brought to the attention of Cloudflare by Google researcher Tavis Ormandy. 

Omandy, who works at Google’s security research operation Project Zero, caused some early concern last week trying to report the bug when he tweeted, “Could someone from cloudflare security urgently contact me.”  

The security vulnerability is similar enough to Heartbleed, an even wider-spread glitch discovered in 2012, that some have nicknamed the Cloudflare bug “Cloudbleed.” 

But there are important differences. Heartbleed could reveal SSL keys — the encryption keys used to prevent hackers from monitoring secure transactions. Per the blog post, Cloudbleed did not leak SSL encryption keys. It did, however, leak other sensitive protection information, including codes to authenticate users. 

Heartbleed affected a popular encryption package that many server-owners separately installed, and many chose not to immediately remediate the problem, leaving websites vulnerable and allowing the theft of 4.5 million healthcare records from Community Health Systems. Cloudflare operates as an online service, meaning that the bug only needed to be fixed on Cloudflare’s own servers, which the company says it has done. 

Cloudflare said it had worked with search engine providers to remove cached copies of any user data from search results. It also said it had not found user data on sites like PasteBin, often used by hackers to share breach information.