User data of approximately 3,400 apps, websites, and online services was leaked online due to a bug in Cloudflare, an online content delivery network. The company acknowledged the incident on Thursday but stated that while hundreds of services were affected, there’s no evidence that the issue has been exploited by anyone. The data that was exposed was cached by Internet search engines but seeing how everything was encrypted, the chance of anyone being compromised is relatively low. Regardless, Cloudflare was still accused of downplaying the significance of the incident seeing how the issue could potentially cause more problems in the future. Some of the affected services include the likes of Fitbit, OKCupid, and Uber, as well as 1Password. However, the latter service already commented on the incident and stated that none of its users were affected thanks to end-to-end encryption.
Regardless, cyber security experts are still recommending affected users to change their passwords as a preventive measure. Cloudflare’s John Graham-Cumming revealed that some sensitive information like authentication tokens and HTTP cookies have been exposed as a result of the bug, but no private SSL keys have been leaked. The problem was apparently caused by an HTML parser chain used by some Cloudflare features like Automatic HTTPS Rewrites and email obfuscation. After those features were turned off, Cloudflare established two teams in London and San Francisco who have managed to resolve the issue on a global level in less than seven hours, Graham-Cumming said.
Regardless, the issue has been present for a while and managed to expose user data from hundreds of websites and online services. Experts estimate that Cloudflare has been leaking data for months before Google’s Tavis Ormandy from Project Zero started suspecting what was happening and notified Cloudflare about the issue. Google Search, Microsoft Bing, and other Internet search engines are currently in the process of purging their directories from the accidentally cached data, but seeing how many of them have public caches, it’s possible someone already made a copy of all the sensitive information leaked by Cloudflare. However, the risk of being compromised is still relatively low. Those interested in the technical details behind this entire ordeal can learn more by following the source link below.