The IT Nerd

User data from 3,400 websites has been leaked and cached by search engines as a result of a bug in the Cloudflare content delivery network. The goal of a content delivery network is to serve content to end-users with high availability and high performance.But instead, this one leaked data and the leaks were spotted by Google security researcher Tavis Ormandy who has a habit of spotting this sort of thing. A Cloudflare blog post acknowledges that the issue was serious, but says there is no evidence of it having been exploited:

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

But Cloudflare’s response was quickly smacked down by Ormandy:

[The company’s blog post] contains an excellent postmortem, but severely downplays the risk to customers.

An unofficial list of sites that may be affected has been posted to Github and it includes sites like Fitbit and Uber, but note that this includes all domains that use Cloudflare DNS. That means that this is a much larger number than use the affected services. In the meantime Google, Bing, Yahoo and other search engines have been working on clearing cached data from the breach before anyone went public. But that doesn’t mean that nothing leaked out as this issue likely existed for months before being patched.

This entry was posted on February 24, 2017 at 8:48 am and is filed under Commentary with tags Cloudflare. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.