The internet infrastructure company Cloudflare, which provides a variety of performance and security services to millions of websites, revealed late Thursday that a bug had caused it to randomly leak potentially sensitive customer data across the internet.
The flaw was first uncovered by Google vulnerability researcher Tavis Ormandy on February 17, but could have been leaking data since as long ago as September 22. In certain conditions, Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid—onto the website of a smaller subset of customers. In practice, it meant that a snippet of information about an Uber ride you took, or even your Uber password, could have ended up hidden away in the code of another site.
For the most part, the exposed data wasn’t posted on well-known or high-traffic sites, and even if it had been it wasn’t easily visible. But some of the leaked data included sensitive cookies, login credentials, API keys, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys. And as Cloudflare’s service spewed random information, that data was being recorded in caches by search engines like Google and Bing and other systems.
“Because Cloudflare operates a large, shared infrastructure, an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site,” Cloudflare CTO John Graham-Cumming explained in a blog post on Thursday. The leak did not expose the transport layer security keys used in HTTPS encryption, but it does seem to have potentially compromised data protected in HTTPS connections. And while Graham-Cumming added that there’s no indication in Cloudflare’s logs or elsewhere that bad actors had taken advantage of the flaw, looking for leaked data that hasn’t yet been scrubbed has become something of an internet-wide scavenger hunt.
The good news is that Cloudflare acted quickly to address the bug. It pushed a preliminary fix less than an hour after learning about the issue, and permanently patched the flaw across all its systems around the world in under seven hours. But while the company has worked with Google and other search engines to scrub caches and rein in the exposed data—so that people can’t just run searches to find and collect sensitive information from the leak—the fallout remains.