Cloudflare Bug Leaks User Data from Popular Websites; 1Password Still Safe

Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, has been suffering from a bug recently, causing the passwords, cookies and tokens used to authenticate users by millions of sites to leak. The company revealed yesterday that a bug in its coding had put many users’ sensitive information at risk.

A typo in the source code of a Cloudflare component has exposed the personal information of users visiting sites protected by Cloudflare’s service, along with potentially more sensitive details such as cookies, passwords, authentication tokens, API keys, and others, reads a new report from Ars Technica.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. “We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

Almost a week ago, Google Project Zero security researcher Tavis Ormandy discovered an issue with Cloudflare’s edge servers, finding corrupted web pages being returned by some HTTP requests run through Cloudflare.

“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” Ormandy wrote.

At this point it is still unknown how much data may have been leaked in what is now being called “Cloudbleed,” which may make it difficult for companies and users to decide what their most prudent reaction to this bug report should be.

Cloudflare specializes in improving the performance and redundancy of websites, as well as offering protection against attacks such as distributed denial-of-service (DDoS). The discovery shows how a weak link in just a single widely used cloud service can have a vast impact on data security downstream.

As for AgileBits’ 1Password? The company explained in a blog post no sensitive data was leaked:

No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.