Cloudflare Bug Leaked Passwords, Dating Chats and Other Sensitive Info for Months

Web Services

Cloudflare, a company that provides optimization and security services for websites, disclosed a bug that may have exposed passwords, authentication tokens, private messages and other sensitive information since September.

Cloudflare notified its customers Thursday, according to Fortune. Average website users, however, probably wouldn’t know if they were affected because they don’t sign up for Cloudflare’s services, websites do.

“I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” wrote Google Project Zero Team Member Tavis Ormandy, who alerted Cloudflare to the problem.

Ormandy tweeted he found information from Uber, OKCupid, FitBit and 1Password, though the password manager said it was not affected by the bug.

The problem, now mitigated, stemmed from a new HTML parser chain, a specific combination of tools, and an “ancient piece of software that contained a latent security problem,” Cloudflare Chief Technology Officer John Graham-Cumming wrote in a blog.

The company also worked with search engines that may have cached the data.

“We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence,” Graham-Cumming wrote.

Ormandy applauded the company’s fast response to the problem, but said Cloudflare’s response “severely downplays the risk to customers.”

More than 5.5 million sites use Cloudflare, according to Fortune.