Recently, it was discovered that CloudFlare, a popular content delivery network, had a bug that was accidentally leaking customers’ sensitive information. According to the company, this was going on for months. However, there are no remaining data security concerns, since the company has already fixed the problem.
Specifically, the leaked data includes the following:
– Frames from adult video sites
– Private messages from major dating sites
– Hotel bookings
– Online password manager data
– Entire messages from a popular chat service
The bug was spotted and reported by Tavis Ormandy, a data security researcher from Google.
CloudFlare was quick to respond, and within hours, they decided to disable several new features in order to fix the issue: email obfuscation, automatic HTTPS rewrites, and server-side excludes, which they believe have caused the data security problem to surface.
However, it took them an entire week to address the issue in full. Meanwhile, the search engine crawlers were collecting and storing the leaked information, and CloudFlare had to work with search engines like Google and Yahoo to remove these sensitive entries from their search engine index.
Back in September, CloudFlare decided to incorporate a new piece of code into their system, which introduced a memory leakage issue. In the hacking world, this is known as a buffer overrun. An earlier coding error caused massive data security problems later down the road.
John Graham-Cumming, chief tech officer at CloudFlare, explained that the ancient piece of software contained a latent security problem, and that it only showed up when they had begun the process of migrating away from it.