INFRA
INFRA
INFRA
Cloudflare patches bug that leaked data from Uber, Fitbit and others
Content delivery network provider Cloudflare Inc. has patched a software bug that exposed sensitive information including passwords, cookies and tokens used to authenticate users from the websites of its 5.5 million users, including those of Uber Technologies Inc., OK Cupid and Fitbit Inc.
The discovery of the security flaw was first made by Google Project Zero security researcher Tavis Ormandy last week, and involved a flaw that is believed to have dated back to September that involved corrupted web pages being returned by some HTTP requests run through Cloudflare.
“I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,” Ormandy wrote. “We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
Cloudflare operates as a CDN, a system of distributed servers that delivers web pages and other web content to a user based on geographic location. It’s used by companies to distribute their services across the globe. For example, if you’re in Southeast Asia and contacting Uber your web or app request would go through Cloudflare’s servers in Singapore versus contacting Uber’s servers in the United States directly.
What Travis found is that secure requests through Cloudflare’s network were corrupted, making user details, including passwords, publicly available. Even more disturbingly, the details were made so available that the data was cached by Google and other search engines.
Cloudflare is downplaying the incident, saying that despite the fact that data was cached by Google and others, the data was only available in “some unusual circumstances.”
The company blamed the security issue on three minor Cloudflare features that were using the same HTML parser chain that was causing the leakage: email obfuscation, server-side excludes, and automatic HTTPS rewrites.
Although the good news is that Cloudflare has now patched their service, the extent of leaked data is of deep concern to some. Privacy New Online called it the “worst privacy leak in recent Internet history.”
Image: wongo888/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
